資源描述:
《基于模式挖掘的用戶行為異常檢測(cè)》由會(huì)員上傳分享��,免費(fèi)在線閱讀�����,更多相關(guān)內(nèi)容在行業(yè)資料-天天文庫(kù)�����。
1����、第25卷第3期計(jì)算機(jī)學(xué)報(bào)Vol.25No.32002年3月CHINESEJ.COMPUTERSMar.2002基于模式挖掘的用戶行為異常檢測(cè)連一峰戴英俠王航(中國(guó)科學(xué)院研究生院信息安全國(guó)家重點(diǎn)實(shí)驗(yàn)室北京100039)摘要行為模式通常反映了用戶的身份和習(xí)慣,該文闡述了針對(duì)Telnet會(huì)話中用戶執(zhí)行的shell命令,利用數(shù)據(jù)挖掘中的關(guān)聯(lián)分析和序列挖掘技術(shù)對(duì)用戶行為進(jìn)行模式挖掘的方法,分析了傳統(tǒng)的相關(guān)函數(shù)法在應(yīng)用于序列模式比較時(shí)的不足,提出了基于遞歸式相關(guān)函數(shù)的模式比較算法,根據(jù)用戶歷史行為模式和當(dāng)前行為模式的比較相似度來(lái)檢測(cè)用戶行為中的異常,最后給出了
2��、相應(yīng)的實(shí)驗(yàn)結(jié)果.關(guān)鍵詞行為模式,數(shù)據(jù)挖掘,相似度,遞歸式相關(guān)函數(shù)中圖法分類號(hào):TP18AnomalyDetectionofUserBehaviorsBasedonProfileMiningLIANYi-FengDAIYing-XiaWANGHang(StateKeyLaboratoryofInformationSecurity,TheGraduateSchoolofChineseAcademyofSciences,Beijing100039)AbstractAnomalydetectionactsasthemajordirectionofresea
3�、rchinintrusiondetection.De-tectinganomaliesinsystem/userbehaviorprofilescanhelpustodiscoverunknownattacks.ThecriticalproblemofAnomalyDetectionliesinhowtoconstructthenormalusageprofilesandhowtoperformprofilecomparison.Fortunately,researchersofColumbiaUniversitypointedoutafeasib
4�����、lesolutionforus:datamining.Theyalsopresentedsomeinspiringresultsofexperiments.Asakindofapplication-specificapproachfordata-processing,datamininghastheabilitytodis-coverhiddenknowledgefromlargevolumesofsecurityauditdata.Dataminingtechniques,in-cludingassociationanalysis,sequenc
5�����、emininganddataclassification,cangreatlyimprovethea-bilityofmininguserbehaviorprofileswhichusuallyreflectidentitiesandhabitsofusers.WeuseBro,astand-alonesystemfordetectingnetworkintrudersinreal-time,toextractsiellcommandspresentedbyusersduringtelnetsessions.Commandsareformatted
6���、andorganizedintoauditrecords.Afterthat,theapriorialgorithmandtheslidingwindowdivisionalgorithmareintro-ducedtominebehaviorprofileswhicharecomposedofassociationrulesandsequencepatternsfromtheseauditrecords.Afterdemonstratingthedefectoftraditionalcomparisonalgorithmwhichmakesuse
7、ofcorrelationfunctionstocomparesimilaritiesbetweenhistoryprofilesandpre-sentones,wepresentouralgorithmnamedrecursivecorrelationstocompletethecomparisontaskandcalculatesimilaritiesfordetectinganomalousbehaviors.Inordertoverifythevalidityofourapproach,wesimulatesomekindsofanomal
8�����、ousbehaviorsbasedontelnetsessionsandcomparetheminedprofileswi
