Abstract: Anomaly detection acts as one of the important directions of research on Intrusion Detection Systems (IDSs). In this paper, an anomaly detection model originated mainly by Terran Lane is briefly introduced. Then a new anomaly detection model based on machine learning is presented. The model uses shell command sequences of variable length to represent a valid user’s behavior patterns and uses more than one dictionaries of shell command sequences to build the user’s behavior profile. While performing detection, the model digs behavior patterns by sequence matching method and evaluates the similarities of the corresponding command sequences to the dictionaries. The two models are tested with UNIX users’ shell command data. The results show that the new model originated by us has higher detection performance.
Lane T等人提出的定长命令序列检测模型主要有两个缺点:一、在用户行为模式的表示上缺乏灵活性和适应性。行为模式是指用户操作过程中体现出的某种规律性;实际中,不同用户所具有的行为模式存在差异,同一用户完成不同行为模式时所执行的命令个数也不尽相同,因而,用长度固定的命令序列难以全面准确地表示出用户的整体行为轮廓。二、不容易估算针对具体用户的最佳序列长度。Lane T等人主要采用实验方法来确定最佳序列长度,这种方法所需的计算量很大,而且其性能缺乏稳定性。我们针对定长命令序列检测模型的以上不足进行了改进和修正,提出一种变长命令序列检测模型,具体描述如下:
[1] Lane T. Machine learning techniques for the computer security domain of anomaly detection[Ph.D.Thesis]. Purdue University, 2000.
[2] Lane T., Brodley C E. An application of machine learning to anomaly detection. Proceedings of the 20th National Information Systems Security Conference, 1997:366-377.
[3] Kosoresow A P, Hofmeyr S A. A shape of self for UNIX processes. IEEE Software,1997,14(5):35-42.
[4] Warrender C, Forrest S, Pearlmutter B. Detecting Intrusions Using System Calls: Alternative Data Models. Proceedings the 1999 IEEE Symposium on Security and Privacy. Berkely, California, USA:IEEE Computer Society, 1999:133-145.