Anomaly Detection of User Behaviors Based on Shell Commands and Markov Chain Models
Tian Xin-guang①②; Sun Chun-lai①; Duan mi-yi①
①Research Institute of Computing Technology, Beijing Jiaotong University, Beijing 100029, China; ②College of Electronic Science and Engineering, National Univ. of Defense Technology, Changsha 410073, China
Abstract:Anomaly detection acts as one of the important directions of research on Intrusion Detection Systems(IDSs).This paper presents a new method for anomaly detection of user behaviors based on shell commands and Markov chain models. The method constructs a one-order Markov chain model to represent the normal behavior profile of a network user, and associates shell commands with the states of the Markov chain. The parameters of the Markov chain model are estimated by a command matching algorithm which is computationally efficient. At the detection stage, the probabilities of the state sequences of the Markov chain is firstly computed, and two different schemes can be used to determine whether the monitored user’s behaviors are normal or anomalous while the particularity of user behaviors is taken into account. The application of the method in practical intrusion detection systems shows that it can achieve high detection performance.