提出一种新的基于shell命令的用户伪装攻击检测方法.该方法在训练阶段充分考虑了用户行为的多变性和伪装攻击的特点,采用平稳的齐次Markov链对合法用户的正常行为进行建模,根据shell命令的出现频率进行阶梯式数据归并来划分状态,同现有的Markov链方法相比大幅度减少了状态个数和转移概率矩阵的存储量,提高了泛化能力.针对检测实时性需求和shell命令操作的短时相关性,采用了基于频率优先的状态匹配方法,并通过对状态短序列的出现概率进行加窗平滑滤噪处理来计算判决值,能够有效减少系统计算开销,降低误报率.实验表明,该方法具有很高的检测准确率和较强的可操作性,特别适用于在线检测.%A novel method for masquerade attack detection based on shell commands was proposed. At the training stage,the variability of users' behavior and the feature of masquerade attack were thoroughly considered, and stationary homogeneous Markov chains were employed to profile the normal users' behavior. The shell commands were gradationally merged into multiple sets according to their frequencies and then states were constructed accordingly, which significantly reduced the number of states and the memory of the transition probability matrix and improved the generalization of the detection system, compared with existing Markov chain methods. Considering the real-time detection demand and the short-time relevance of shell commands, the states were matched with a high-frequency-first scheme at the detection stage, and the decision measure was computed by smoothing the probabilities of short state sequences. This decreased computational complexity and the false-alarm rate. Experimental results indicate that our method can achieve high detection accuracy and practicability, and is especially applicable for on-line detection.
展开▼
