According to the history of command sequence in Unix system ,an approach to masquerader detection based on the closeness model of command was proposed .The behavior patterns of user were extracted from the view of command combinations . Those commands combined frequently by users showed close relationship ,and other commands exhibited loose relationship .Com-mand closeness matrix was generated by the sliding window from the sequence of commands .If the command block to be detected exhibited a low closeness for the user ,it was judged as abnormal .Experimental results show that a simple calculation ,an accurate detection ,and a high level of real-time can be achieved by using the proposed approach .%根据Unix系统中用户的历史命令序列,提出一种基于命令紧密度模型的用户伪装入侵检测方法。该方法从命令组合的角度抽取用户的行为模式。用户经常组合使用的命令,表现出关系紧密;不常被一起使用的命令,表现出关系疏远。通过滑动窗口方法从用户的历史命令序列中生成紧密度矩阵。如果待检测的命令块对于该用户来说表现出紧密度过低,则判断为异常。实验表明该方法计算量小,检测效果好,而且具有很高的实时性。
展开▼
