Anomaly Detection of User Behaviors Based on Shell Commands and Markov Chain Models

Tian Xin-guang; Sun Chun-lai; Duan mi-yi

doi:10.3724/SP.J.1146.2006.00403

Volume 29 Issue 11

Jan. 2011

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2007 > 29(11): 2580-2584

Tian Xin-guang, Sun Chun-lai, Duan mi-yi. Anomaly Detection of User Behaviors Based on Shell Commands and Markov Chain Models[J]. Journal of Electronics & Information Technology, 2007, 29(11): 2580-2584. doi: 10.3724/SP.J.1146.2006.00403

Citation:

Tian Xin-guang, Sun Chun-lai, Duan mi-yi. Anomaly Detection of User Behaviors Based on Shell Commands and Markov Chain Models[J]. Journal of Electronics & Information Technology, 2007, 29(11): 2580-2584. doi: 10.3724/SP.J.1146.2006.00403

Citation:

PDF( 293 KB)

Anomaly Detection of User Behaviors Based on Shell Commands and Markov Chain Models

doi: 10.3724/SP.J.1146.2006.00403

Tian Xin-guang^{①②;孙春来},
Sun Chun-lai,
Duan mi-yi

Received Date: 2006-04-03
Rev Recd Date: 2006-09-26
Publish Date: 2007-11-19

Abstract

Abstract

Anomaly detection acts as one of the important directions of research on Intrusion Detection Systems(IDSs).This paper presents a new method for anomaly detection of user behaviors based on shell commands and Markov chain models. The method constructs a one-order Markov chain model to represent the normal behavior profile of a network user, and associates shell commands with the states of the Markov chain. The parameters of the Markov chain model are estimated by a command matching algorithm which is computationally efficient. At the detection stage, the probabilities of the state sequences of the Markov chain is firstly computed, and two different schemes can be used to determine whether the monitored users behaviors are normal or anomalous while the particularity of user behaviors is taken into account. The application of the method in practical intrusion detection systems shows that it can achieve high detection performance.

FullText(HTML)

References(1)

References

Lane T and Carla E B. An empirical study of two approaches to sequence learning for anomaly detection[J].Machine Learning.2003, 51(1):73-107[2]Ye N, Zhang Y, and Borror C M. Robustness of the Markov chain model for cyber attack detection. IEEE Trans. on Reliability, 2003, 52(3): 122-138.[3]Lane T. Machine learning techniques for the computer security domain of anomaly detection [Ph.D.Thesis]. Purdue University, 2000.[4]Mukkamala S, Sung A H, and Abraham A. Intrusion detection using an ensemble of intelligent paradigms[J].Journal of Network and Computer Application.2005, 28(2):167-182[5]连一峰，戴英侠，王航. 基于模式挖掘的用户行为异常检测. 计算机学报, 2002, 25(3): 325-330.[6]Yan Qiao, Xie Wei-Xin, and Yang Bin, et al.. An anomaly intrusion detection method based on HMM[J].Electronics Letters.2002, 38(13):663-664[7]Warrender C, Forrest S, and Pearlmutter B. Detecting intrusions using system calls: alternative data models. Proc. of The 1999 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1999: 133-145.[8]Maxion R A and Townsend T N. Masquerade detection using truncated command lines. Proc. of International Conference on Dependable Systems and Networks, Washington, DC, USA, 2002: 219-228.[9]Lane T and Brodley C E. Temporal sequence learning and data reduction for anomaly detection[J].ACM Trans. on Information and System Security.1999, 2(3):295-331[10]Schonlau M and DuMouchel W, et al.. Computer intrusion: Detecting masquerades[J].Statistical Science.2001, 16(1):58-74[11]孙宏伟，田新广，李学春，张尔扬. 一种改进的IDS异常检测模型. 计算机学报, 2003, 26(11): 1450-1455.[12]田新广. 基于主机的入侵检测方法研究. [博士论文]. 长沙: 国防科技大学, 2005.[13]田新广，高立志，张尔扬. 新的基于机器学习的入侵检测方法. 通信学报, 2006, 27(6): 108-114.

Relative Articles

Supplements(0)

Cited By

Proportional views