基于数据挖掘的主机入侵行为检测

提出利用序列模式挖掘方法得到频繁入侵命令序列，将频繁入侵命令转换为底层入侵检测器的检测规则用于检测用户的可疑行为．为了消除误报，设计了一个基于入侵事件状态的关联引擎，将频繁入侵命令序列作办关联规则，并提出了一种新的入侵关联算法，该算法不仅考虑了每类主机入侵行为的序列特征，也反映了不同类型主机入侵行为之间的因果关系，体现了主机入侵行为的多样性和复杂性．实验结果表明，该入侵关联模型对各类主机入侵行为的检测效果良好，误报率明显降低，特别是下载类和信息获取类主机入侵行为的误报降低了20%左右。

Host Intrusion Activities Detection Based on Data Mining Method

A sequence mining method to obtain the frequent intrusion command sequences executed by the intruders was presented. The frequent intrusion commands were transformed into the detection rules of the low-level intrusion detection sensor in order to detect the suspicious behaviors. To eliminate the false (alarms), an efficient intrusion correlation engine based on intrusion incident context was designed and the frequent intrusion command sequences were used as the association rules. Moreover, a novel intrusion correlation algorithm was presented, which consider both the sequential relations of every host intrusion class and the causal relations of different host intrusion classes to compute the probability of the intrusions. The algorithm fully embodies the complexity and diversity of host intrusion activities. Experimental results show that this intrusion correlation model not only improves the detection rate but also reduces the false (alarm) rate of host intrusion activities, especially reducing about 20 percents of the false alarm rate of downloading tools activities and gathering system information activities of the intruders.