%0 Journal Article %T 基于用户与网络行为分析的主机异常检测方法<br>Analyzing user and network behaviors for hostbased anomaly detection %A 郭志民 %A 彭豪辉 %A 牛霜霞 %A 邵坤 %A 吕卓 %A 王伟 %J 北京交通大学学报 %D 2018 %R 10.11860/j.issn.1673-0291.2018.05.006 %X 摘要 当前针对主机的攻击手段越来越复杂,各种新型攻击出现得越来越频繁,使得针对主机的异常检测变得非常重要.异常检测可以检测未知攻击,并且可以检测内部威胁,成为了网络与系统安全研究的热点之一.已有的异常检测研究中,基于网络流量等单一的信息源进行异常检测的方法容易被攻击者所规避且检测率低.本文提出通过多种信息源建模并进行异常检测,分别对网络行为与用户行为进行分析,使用K最近邻(K-NN)分类算法得出每种行为的异常值,通过加权处理得出总体异常值并将其作为异常检测的判断标准.选取了17名用户进行实验,实验结果表明:在误报率为2.9%的情况下,利用多信息源检测模型能够检测出单一信息源检测模型未能检测出的异常,检测率达到100%.<br>Abstract:Host borne attacks have become more and more complicated. As novel attacks appear more and more frequently, host-based anomaly detection becomes very important. Anomaly detection is able to detect unknown attacks as well as internal threats. It thus has become a widely studied topic in the field of network and system security. Most existing anomaly detection studiesare based on a single source of information such as network traffic, which can be easily bypassed by attacker, resulting in a low detection rate. This paper proposes to establish a multi-source model to carry out anomaly detection. We analyze user and network behavior individually, and obtain their anomaly scores with K-Nearest Neighbor (K-NN)algorithm. The overall anomaly scores used for anomaly detection are finally formed with weights of these two behaviors. The experiments selected 17 users for testing and the results show that, in the case of false positive rate of 2.9%, the multi-source model can detect anomaly that single-source model cannot, and the detection rate reaches 100%. %K 网络安全 %K 异常检测 %K 系统安全 %K 网络行为 %K 用户行为< %K br> %K cyber security %K anomaly detection %K system security %K network behaviors %K user behaviors %U http://jdxb.bjtu.edu.cn/CN/abstract/abstract3378.shtml