基于shell命令和多重行为模式挖掘的用户伪装攻击检测毕业设计.docVIP

摘 要 伪装攻击是指非授权用户通过伪装成合法用户来获得访问关键数据或更高层访问权限的行为。近年来，伪装攻击检测在保障网络信息安全中发挥着越来越大的作用。文中提出一种新的用户伪装攻击检测方法。同现有的典型检测方法相比，该方法在训练阶段改进了对用户行为模式的表示方式，通过合理选择用户行为特征并基于阶梯式的序列模式支持度来建立合法用户的正常行为轮廓，提高了用户行为描述的准确性和对不同类型用户的适应性；在充分考虑shell命令审计数据时序特征的基础上，针对伪装攻击行为复杂多变的特点，提出基于多重行为模式并行挖掘和多门限联合判决的检测模型，并通过交叉验证和等量迭代逼近方法确定最佳门限参数，克服了单一序列模式检测模型在性能稳定性和容错能力方面的不足，在不明显增加计算成本的条件下大幅度提高了检测准确度。文中提出的方法已应用于实际检测系统，并表现出良好的检测性能。 关键词 网络安全；伪装攻击；入侵检测；shell命令；异常检测 中图分类号： TP393 Masquerade detection based on shell commands and multiple behavior pattern mining TIAN Xin-Guang , DUAN Mi-Yi , CHENG Xue-Qi (Key Laboratory of Network Science and Technology, Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190 ) Abstract Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater access privileges, while pretending to be legitimate users. Masquerade detection is now one of the major concerns of system security research. This paper proposes a novel method to distinguish legitimate users from masqueraders based on shell commands and multiple behavior pattern mining. In the method, behavioral patterns of legitimate users are characterized by shell command sequences of different lengths, and hierarchical sequence supports are employed to construct the normal behavior profiles of legitimate users, which improves the precision and adaptability of user profiling. In the detection stage, a model based on multiple sequence pattern parallel mining and multiple threshold joint decision is used to determine whether the monitored user’s behavior is normal or anomalous. The model gives attention to both detection accuracy and computational efficiency, and is especially applicable for on-line detection. Our study empirically demonstrated the promising performance of the method, and it has succeeded in getting application in practical host-based intrusion detection systems. Key words network security；masquerade attack；intrusion detection；shell command； anomaly detection 1 引