Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models

XIAO Xi; ZHAI Qi-bin; TIAN Xin-guang; CHEN Xiao-juan; YE Run-guo

您当前的位置：

首页 >

文章列表页 >

Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models

更新时间：2025-07-16

- Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models
- Acta Electronica Sinica Vol. 39, Issue 5, Pages: 1199-1204(2011)
- 作者机构：
  
  1. 中国科学院研究生院信息安全国家重点实验室,北京,100049
  2. 中国科学院计算技术研究所网络科学与技术重点实验室,北京,100190
  3. 北京工商大学计算机与信息工程学院,北京,100037
  4. 北京启明星辰信息安全技术有限公司,北京,100193
  5. 中国科学院研究生院信息安全国家重点实验室北京,100049
  6. 中国科学院计算技术研究所网络科学与技术重点实验室北京,100190
  7. 北京工商大学计算机与信息工程学院北京,100037
  8. 北京启明星辰信息安全技术有限公司北京,100193
- 作者简介：
- 基金信息：
- DOI：
  CLC： TP393
- Published：2011
- 稿件说明：
移动端阅览
XIAO Xi, ZHAI Qi-bin, TIAN Xin-guang, et al. Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models[J]. Acta Electronica Sinica, 2011, 39(5): 1199-1204.
DOI：

XIAO Xi, ZHAI Qi-bin, TIAN Xin-guang, et al. Masquerade Detection Based on Shell Commands and High-Order Markov Chain Models[J]. Acta Electronica Sinica, 2011, 39(5): 1199-1204. DOI：

摘要

伪装攻击是指非授权用户通过伪装成合法用户来获得访问关键数据或更高层访问权限的行为.提出一种新的用户伪装攻击检测方法.该方法针对伪装攻击用户行为的多变性和审计数据shell命令的相关性

利用特殊的多阶齐次Markov链模型对合法用户的正常行为进行建模

并通过双重阶梯式归并shell命令来确定状态

提高了用户行为轮廓描述的准确性和检测系统的泛化能力

并大幅度减少了存储成本.检测阶段根据实时性需求

采用运算量小的、仅依赖于状态转移概率的分类值计算方法

并通过加窗平滑处理分类值序列得到判决值

进而对被监测用户的行为进行判决.实验表明

同现有的典型检测方法相比

该方法在虚警概率相同的情况下大幅度提高了检测概率

并有效减少了系统计算开销

特别适用于在线检测.

Abstract

Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges

while pretending to be legitimate users.This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user's behavior and the relevance of the operation of shell commands are thoroughly considered.The method constructs specific high-order homogeneous Markov chain models to represent the normal behavior profiles of valid users.It defines the states by twofold hierarchical merging shell commands.Therefore this method increases the accuracy of describing the normal behavior profiles

improves the generalization of the detection system and sharply reduces the storage space.In the detection period

taking the real-time performance into account

it computes the categorical boolean variables only using the transition probabilities

which has little computation workload

and then smoothes them to get the decision values used to determine whether the monitored user's behavior is normal or anomalous.Its performance is tested in computer simulation

showing higher detection accuracy and fewer computation costs than related methods'.The proposed method is especially suitable for on-line detection.

关键词

Keywords

references

Views

1327

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

An Anomaly Intrusion Detection Model Based on Nonhierarchical Clustering

Intrusion Detection Based on Sub-Set of System Calls

Profile Creation Technique Research for Intrsuion Detection Based CCA

System Call Anomaly Detection Method Based on HMM

A Survey of Architecture and Implementation Method on Cyber Security Situation Awareness Analysis

Related Author

SU Pu-rui

FENG Deng-guo

ZHANG Xiang-feng

SUN Yu-fang

ZHAO Qing-song

GUO Zhi

ZHAO Xi-bin

GU Ming

Related Institution

State Key Laboratory of Information Security,Institute of Software,Chinese Academy of Sciences

Institute of Software,Chinese Academy of Sciences

School of Software, Tsinghua University

School of Computer Science and Telecommunications Engineering,Jiangsu University

School of SoftwareTsinghua UniversityBeijing 100084China

⁰