文献类型：期刊文献

英文题名：HMMs based masquerade detection for network security on with parallel computing

作者：Liu, Jia[1,2];Duan, Miyi[1];Li, Wenfa[3];Tian, Xinguang[4]

第一作者：Liu, Jia

通讯作者：Duan, MY[1];Li, WF[2]

机构：[1]Beihang Univ, Sch Comp Sci & Engn, Beijing Key Lab Digital Media, Beijing, Peoples R China;[2]Beijing Union Univ, Smart City Coll, Beijing, Peoples R China;[3]Beijing Union Univ, Coll Robot, Beijing, Peoples R China;[4]Chinese Acad Sci, Inst Comp Technol, Beijing, Peoples R China

第一机构：Beihang Univ, Sch Comp Sci & Engn, Beijing Key Lab Digital Media, Beijing, Peoples R China

通讯机构：[1]corresponding author), Beihang Univ, Sch Comp Sci & Engn, Beijing Key Lab Digital Media, Beijing, Peoples R China;[2]corresponding author), Beijing Union Univ, Coll Robot, Beijing, Peoples R China.|[1141739]北京联合大学机器人学院;[11417]北京联合大学;

年份：2020

卷号：156

起止页码：168-173

外文期刊名：COMPUTER COMMUNICATIONS

收录：;EI(收录号：20201508405731);Scopus(收录号：2-s2.0-85082921776);WOS:【SCI-EXPANDED(收录号:WOS:000528265900016)】；

基金：This work was supported in part by the National Natural Science Foundation of China under Grant 61841601, the Science and Technology Projects of Beijing Municipal Education Commission, China under Grant KM201711417011, the Premium Funding Project for Academic Human Resources Development in Beijing Union University, China under Grant BPHR2018EZ01 and the Science and Technology Projects of Beijing Municipal Education Commission, China under Grant KM201911417011.

语种：英文

外文关键词：Masquerade detection; Shell command; Anomaly detection; Hidden Markov model

摘要：Masquerade detection is currently an active research topic in the field of network security. This paper presents a novel method for detecting masquerade attacks based on hidden Markov models (HMMs), which applies to host-based intrusion detection systems using Unix or Linux shell commands as audit data. The method employs multiple command sequences of different lengths to represent the behavioral patterns of a legitimate user and constructs a specific HMM to characterize the normal behavior profile of the user. Moreover, the adaptability and precision of user profiling are definitely taken into account. During training, the parameters of the HMM are calculated by parallel computing that is less computationally expensive than the classic Baum-Welch algorithm. At the detection stage, the occurrence probabilities of short state sequences are first computed to analyze behavior deviations that may indicate masquerade attacks, and two alternative decision schemes can be used to classify the monitored user's behavior as normal or anomalous. The method addresses both detection accuracy and computational efficiency and is especially suitable for online detection. Our study empirically demonstrates the promising performance of the method.