Masquerade attacks are attempts by unauthorized users to gain access to confidential data or greater ater access privileges, while pretending to be legitimate users. This paper proposes a novel method to distinguish legitimate users from masqueraders.The uncertainty of the user's behavior and the relevance of the operation of shell commands are thoroughly considered. The method constructs specific high-order homogeneous Markov chain models to represent the normal behavior profiles of valid users. It defines the states by twofold hierarchical merging shell commands. Therefore this method increases the accuracy of describing the normal behavior profiles,improves the generalization of the detection system and sharply reduces the storage space. In the detection period,taking the real-time performance into account,it computes the categorical boolean variables only using the transition probabilities,which has little compuation workload, and then smoothes them to get the decision values used to determine whether the monitored user's behavior is normal or anomalous. Its performance is tested in computer simulation, showing higher detection accuracy and fewer computation costs than related methods'. The proposed method is especially suitable for on-line detection.%伪装攻击是指非授权用户通过伪装成合法用户来获得访问关键数据或更高层访问权限的行为.提出一种新的用户伪装攻击检测方法.该方法针对伪装攻击用户行为的多变性和审计数据shell命令的相关性,利用特殊的多阶齐次narkov链模型对合法用户的正常行为进行建模,并通过双重阶梯式归并shell命令来确定状态,提高了用户行为轮廓描述的准确性和检测系统的泛化能力,并大幅度减少了存储成本.检测阶段根据实时性需求,采用运算量小的、仅依赖于状态转移概率的分类值计算方法,并通过加窗平滑处理分类值序列得到判决值,进而对被监测用户的行为进行判决.实验表明,同现有的典型检测方法相比,该方法在虚警概率相同的情况下大幅度提高了检测概率,并有效减少了系统计算开销,特别适用于在线检测.
展开▼
