An anomaly detection model of user behavior based on similarity clustering

摘要

The ability to automatically detect anomaly user behavior to enhance system reliability is important for the system administrator. To achieve this objective, an anomaly user behavior detection model based on similarity clustering has been presented in this paper. The model consists of four components: data log collector, data log analyzer, profile storage and behavior detector. The data log collector is responsible of collecting the audit log of the system, and the data log analyzer executes a similarity clustering algorithm on the logs to establish the normal user behavior profile, which is stored in the profile storage. The behavior detector calculates the distance between the observing user behavior with the profile to determine whether the observing user behavior is anomaly. The algorithms of establishing profile and anomaly detection are also discussed in detail in the paper.