資源描述:
《基于模式挖掘的用戶行為異常檢測》由會員上傳分享��,免費在線閱讀��,更多相關(guān)內(nèi)容在行業(yè)資料-天天文庫��。
1�����、第25卷第3期計算機學(xué)報Vol.25No.32002年3月CHINESEJ.COMPUTERSMar.2002基于模式挖掘的用戶行為異常檢測連一峰戴英俠王航(中國科學(xué)院研究生院信息安全國家重點實驗室北京100039)摘要行為模式通常反映了用戶的身份和習(xí)慣,該文闡述了針對Telnet會話中用戶執(zhí)行的shell命令,利用數(shù)據(jù)挖掘中的關(guān)聯(lián)分析和序列挖掘技術(shù)對用戶行為進行模式挖掘的方法,分析了傳統(tǒng)的相關(guān)函數(shù)法在應(yīng)用于序列模式比較時的不足,提出了基于遞歸式相關(guān)函數(shù)的模式比較算法,根據(jù)用戶歷史行為模式和當前行為模式的比較相似度來檢測用戶行為中的異常,最后給出了
2�����、相應(yīng)的實驗結(jié)果.關(guān)鍵詞行為模式,數(shù)據(jù)挖掘,相似度,遞歸式相關(guān)函數(shù)中圖法分類號:TP18AnomalyDetectionofUserBehaviorsBasedonProfileMiningLIANYi-FengDAIYing-XiaWANGHang(StateKeyLaboratoryofInformationSecurity,TheGraduateSchoolofChineseAcademyofSciences,Beijing100039)AbstractAnomalydetectionactsasthemajordirectionofresea
3�、rchinintrusiondetection.De-tectinganomaliesinsystem/userbehaviorprofilescanhelpustodiscoverunknownattacks.ThecriticalproblemofAnomalyDetectionliesinhowtoconstructthenormalusageprofilesandhowtoperformprofilecomparison.Fortunately,researchersofColumbiaUniversitypointedoutafeasib
4�、lesolutionforus:datamining.Theyalsopresentedsomeinspiringresultsofexperiments.Asakindofapplication-specificapproachfordata-processing,datamininghastheabilitytodis-coverhiddenknowledgefromlargevolumesofsecurityauditdata.Dataminingtechniques,in-cludingassociationanalysis,sequenc
5、emininganddataclassification,cangreatlyimprovethea-bilityofmininguserbehaviorprofileswhichusuallyreflectidentitiesandhabitsofusers.WeuseBro,astand-alonesystemfordetectingnetworkintrudersinreal-time,toextractsiellcommandspresentedbyusersduringtelnetsessions.Commandsareformatted
6�、andorganizedintoauditrecords.Afterthat,theapriorialgorithmandtheslidingwindowdivisionalgorithmareintro-ducedtominebehaviorprofileswhicharecomposedofassociationrulesandsequencepatternsfromtheseauditrecords.Afterdemonstratingthedefectoftraditionalcomparisonalgorithmwhichmakesuse
7、ofcorrelationfunctionstocomparesimilaritiesbetweenhistoryprofilesandpre-sentones,wepresentouralgorithmnamedrecursivecorrelationstocompletethecomparisontaskandcalculatesimilaritiesfordetectinganomalousbehaviors.Inordertoverifythevalidityofourapproach,wesimulatesomekindsofanomal
8����、ousbehaviorsbasedontelnetsessionsandcomparetheminedprofileswi
