ISSN 1673-9418 CODEN JKYTA8 E-mal: fcst@publc2.bta.net.cn Journal of Fronters of Computer Scence and Technology http://www.ceaj.org 1673-9418/2010/04(06)-0500-11 Tel: +86-10-51616056 DOI: 10.3778/j.ssn.1673-9418.2010.06.002 Unx Lnux * 1+, 1, 2, 洣 1, 1 1., 100190 2., 100037 Masquerade Detecton towards Network Users on Unx and Lnux Platforms * TIAN Xnguang 1+, CHENG Xueq 1, CHEN Xaojuan 2, DUAN My 1, XU Hongbo 1 1. Key Lab of Network Scence and Technology, Insttute of Computng Technology, CAS, Bejng 100190, Chna 2. College of Comp. and Info. Engneerng, Bejng Technology and Busness Unversty, Bejng 100037, Chna + Correspondng author: E-mal: tanxnguang@163.com TIAN Xnguang, CHENG Xueq, CHEN Xaojuan, et al. Masquerade detecton towards network users on Unx and Lnux platforms. Journal of Fronters of Computer Scence and Technology, 2010, 4(6): 500-510. Abstract: Host-based ntruson detecton acts as one of the major drectons of research n network securty. Ths paper presents a novel method for masquerade detecton based on data mnng and varable-length shell command sequence matchng, whch s applcable to ntruson detecton systems usng shell commands as audt data on Unx and Lnux platforms. The method employs multple command sequences to represent user behavor pattern, and utlzes sequence supports defned n data mnng technque to characterze the normal behavor profles of legtmate users. In the detecton stage, a model based on varable-length shell command sequence matchng and decson value weghng s used to dstngush between legtmate users and masqueraders, whle the partcularty of audt data and user behavor s taken nto account. The performance of the method s tested by computer smulaton, and the results show t can acheve hgher detecton accuracy and effcency than exstng alternatve methods. Key words: masquerade attack; ntruson detecton; shell command; data mnng; anomaly detecton *The Natonal Hgh-Tech Research and Development Plan of Chna under Grant No.2006AA01Z452 ( (863)); the Natonal Informaton Securty 242 Program of Chna under Grant No.2005C39( 242 ). Receved 2009-08, Accepted 2010-04.
Unx Lnux 501, Unx Lnux shell shell, ;,,,,,,, ; ; shell ; ; A TP393 1 [1 2], [3 4],,, [5], ;,,,, ;, Markov (hdden Markov model, HMM) Lane T HMM [6], HMM, Baum-Welch HMM,, Chaoj V Szymansk B K [7 8] Schonlau M [9], AT&T Shannon shell Maxon R A Schonlau M [10],,, Imsand E (graphcal user nterface, GUI) [11] Tan X G Markov [1],,, Unx Lnux shell,,, ;
502 Journal of Fronters of Computer Scence and Technology 2010, 4(6),,,,, 2 ( ),, (,, ),,,,, [12 13] (), ;, ( ), [14 16], ; Unx Lnux, shell,, shell [6 10] [1,6,9 10], Unx Lnux shell, shell, [9 10], shell, ; [1,6], shell, shell,,,, 3 (), (1) shell W, W shell, ;,, shell ;, [6,10] shell ; shell ( ),
Unx Lnux 503, W l(1), l(2),, l(w), l() shell (1 W), l(1)<l(2)< < l(w) W, l() W=3, 3 1 2 3, 1 3 5, (2), W shell R = ( s1, s2,, s r ), shell shell ( r), s j j shell R, W l(1), l(2),, l(w) shell, S 1, S 2,, S W R W shell, S l()(1 W) shell, r l() + 1 shell ; 1 2 S = ( S, S,, Sr l() + 1), S j = (s j, s j+1,, s j l() 1 ) +, S j shell s j l() (1 j r l() + 1) (3) S shell S ( 1 W) l() shell S + shell S S S (1 W), support( S + ) = number( S+ ) r l() + 1 number( S + ) S + S r l() + 1 shell, support( S + ) S + S support( S + ) S + S (4) W, W shell ( ) W shell, W mnsup(1), mnsup(2),, mnsup(w), mnsup() shell S l() (1 W), mnsup(1) mnsup(2) mnsup(w), 1 W, S mnsup() shell, L() S mnsup() K(), S 1+, 2+ S,, S K ()+ ( K() r l() + 1), L()={ S 1+, S 2+,, S K ()+ } (5),, L W L(1), L(2),, L(W), L={L(1), L(2),, L(W)},, L L(),,,,, shell ( ) R% = ( s% 1, s% 2,, s % r % ), s% j j shell, r% R % shell ; S % R % l() shell ( S % r% l() + 1), shell S +
504 Journal of Fronters of Computer Scence and Technology 2010, 4(6) shell S % support_ add ( S + ), S + ( S S % ) support_ sum ( S + ) support_ sum ( S + ) = support ( S + ) r l() + 1 +support_ add ( S r+ r% + ) 2() l + 2 r% l() + 1 r+ r% 2() l + 2 (1) shell ( ), ( ),,,,, ;,,, [17], 4, shell, shell ; shell R = ( s1, s2,, s r ), s j j shell, r (), R shell,, (), (1) R = ( s1, s2,, sr ) l(w)-1 shell shell s k ( l(w) k r ), s k W l (1),(2) l,, lw ( ) shell W S, 1 k 2 S k,, S k W, Sk l () shell (1 W), S k =( sk l() + 1, sk l() + 2,, s k ), shell, ; shell,, (2) R = ( s1, s 2,, sr ) shell R = ( s1, s2,, sr ) k shell s k ( l(w) k r ) 1 : = W 2 > 0, = 0, shell s k Sm( s k ): = 0, (, Sm( sk ) shell s k ) 3 l () shell S L () ={ S 1+, S 2+,, S K ()+ } k, S L (), shell s k Sm( s k ): = f (()) l, ; Sk L (), 4 : = 1( 1), 2 s k W shell S,,, 1 k 2 S k k
Unx Lnux 505 W S k, W 1 ( k ), S L() k, S L(), shell s k Sm( sk ): = f ( l( )) ; S k 1 2 W, S k,, Sk L={ L (1), L (2),,L(W)}, Sm( s k ): = 0 Sm( sk ) shell s k ( shell sk ), 3 f (()) l l () f (()) l ( ), l () (), f (()) l = l () lw ( ), f (()) l l (), f (()) l 1(, f (()) l ) R = ( s, s,, s ) shell 1 2 r, ( Sm( s lw ( )), Sm( s + ),, Sm( s )) lw ( ) 1 r (3),,,, ( Sm( s lw ( )), Sm( s lw ( ) + 1),, Sm( s r )) k 1 D( k) = Sm( s ) (2) e = k e + 1, D(k) shell s k, e, e+ l(w) 1 k r, k 1 R = ( s1, s2,, sr ) e+ l(w) 1 shell shell (4) D(k), D(k) a D(k) a, ; D(k) a, ( ), s k, s k e shell sk e + 1, sk e + 2,, k s, (), shell,,, e+l(w) 2 shell, shell, shell W ( )shell,, ( ), (1) W shell R = ( s1, s2,, s r ), W l (1), l (2),, lw ( ) shell, S 1 2 W, S,, S R l (1), l (2),, lw ( ) W shell, S l ()(1 W ) shell ; l () l ()+1 S = ( S, S,, S r ), S j = ( s j l() + 1, s +, s ), j l() 2, j S j shell s j l () ( l ( ) j r ) S r l() + 1 shell (2) W shell 1 W, shell S =
506 Journal of Fronters of Computer Scence and Technology 2010, 4(6) l () l ()+1 r ( S, S,, S ) shell j j l () + 1 j l () + 2 S = ( s, s,, s ) L () ={ S 1+, S 2+,, S K ()+ }, S j L () ( S j L ()), S j j, class( S )=1 S L () ( class( S j j j S j L ()),, S j )=0, shell S = ( Sl (), Sl ()+1,, S r ), (class( S l ()), class( S l ()+1),, class( S )) (3) shell S, (class( S l ()), class( S l ()+1),, class( S r )), j 1 D ( j) = class( S ) (3) e n = j e + 1, e, D ( j) shell S j, e +() l 1 j r D ( j) j S e shell shell S = ( S (), S ()+1, n r l l, Sr ) e+ l () 1 W shell S 1 2 W, S,, S, D 1 ( j ), 2 W D ( j ),, D ( j ), j 1, W D( j) = q( ) D ( j) (4) = 1, q() D (j), q (1) + q (2) + + qw ( ) =1 j e +( lw) 1 j 1, (4) D(j), D(j) a D(j) a,,, ( ), (), R = ( s1, s2,, sr ), ;,,,, 5, W l() mnsup(),,,, W l(), ;, mnsup(), L(), ( ), ( ) [9] a,,,
Unx Lnux 507,, 6 Purdue AT&T Shannon Purdue 8 Unx ( [6][1]); 4 user1 user2 user3 user4, user2, user1 user3 user4 shell 15 000, user2 10 000, 5 000 W = 3, L (1) = 1, L (2) = 2, L (3) = 3, mnsup(1)= 0.000 3, mnsup(2)= 0.000 2, mnsup(3) =0.000 1, e=91; a=0.65 1 Purdue D(k), user2, user1 user3 user4, Fg.1 The plot of D(k) for Purdue Unversty data 1 Purdue, Purdue shell [1] Markov [3] [6](), 1 Purdue shell Table 1 Expermental results of Purdue Unversty data 1 Purdue [1] [3] [6] /(%) /(%) /s 0.02 92.39 412 0.04 92.51 403 0.12 86.52 469 0.18 86.74 512 0.08 89.91 3152 1, ( ), [1,3,6] 1,,,, [3,6], [1,3,6] AT&T Shannon shell ([9][10]), 4 user1 user2 user3 user4, 5 000 shell, user4, 4 000,
508 Journal of Fronters of Computer Scence and Technology 2010, 4(6) 1 000 ; 3, 5 000 shell W=3, L (1) = 1, L (2) = 2, L (3) = 3, mnsup(1)=0.015, mnsup(2)= 0.007 5, mnsup(3) =0.000 75, 1 1,,, ROC 2 AT&T Shannon, [1,3,6] ROC, [1,3,6], Fg.2 The ROC curves for the alternatve methods 2 ROC,,, ;,, 7, Unx Lnux,, ;, ; shell,,, References: [1] Tan Xnguang, Duan My, L Wenfa, et al. Anomaly detecton of user behavor based on shell commands and homogeneous Markov chans[j]. Chnese Journal of Electroncs, 2008, 17(2): 231 236. [2] Tan Xnguang, Duan My, Sun Chunla, et al. Intruson detecton based on system calls and homogeneous Markov chans[j]. Journal of Systems Engneerng and Electroncs, 2008, 19(3): 598 605. [3] Km H S, Cha S D. Emprcal evaluaton of SVM-based masquerade detecton usng UNIX commands[j]. Computers and Securty, 2005, 24(2): 160 168. [4] Gao D, Reter M K, Song D. Behavoral dstance measurement usng hdden Markov models[c]//proceedngs of the Conference on Recent Advanced n Intruson Detecton, Hamburg, Germany, Sep, 2006: 19 40. [5] Mukkamala S, Sung A H, Abraham A. Intruson detecton usng an ensemble of ntellgent paradgms[j]. Journal of Network and Computer Applcaton, 2005, 28(2): 167 182. [6] Lane T, Carla E B. An emprcal study of two approaches to sequence learnng for anomaly detecton[j]. Machne Learnng, 2003, 51(1): 73 107. [7] Chaoj V, Hoonlor A, Szymansk B K. Recursve data mnng for author and role dentfcaton[c]//proceedngs of the 3rd Annual Informaton Assurance Workshop ASIA 08, Albany, NY, June, 2008: 53 62. [8] Szymansk B K, Zhang Y Q. Recursve data mnng for masquerade detecton and author dentfcaton[c]//pro-
Unx Lnux 509 ceedngs of the 5th IEEE System, Man and Cybernetcs Informaton Assurance Workshop, West Pont, NY, June, 2004: 424 431. [9] Schonlau M, Mouchel W. Computer ntruson: Detectng masquerades[j]. Statstcal Scence, 2001, 16(1): 58 74. [10] Maxon R A, Townsend T N. Masquerade detecton usng truncated command lnes[c]//proceedngs of the Internatonal Conference on Dependable Systems and Networks, Washngton, DC, USA, 2002: 219 228. [11] Imsand E, Hamlton J. GUI usage analyss for masquerade detecton[c]//proceedngs of the IEEE Workshop on Informaton Assurance, West Pont, NY, USA, June 20 22, 2007: 270 276. [12] Tan Xnguang, Su Jnguo, L Xuechun. A system and ts method for anomaly detecton of user behavor based on machne learnng: Chnese, ZL200510056934[P]. 2005-03-23. [13] Chen You, Shen Huawe, L Yang, et al. An effcent feature selecton algorthm towards buldng lghtweght ntruson detecton system[j]. Chnese Journal of Computers, 2007,30(8): 1398 1408. [14] Tan Xnguang, Gao Lzh, Sun Chunla, et al. A method for anomaly detecton of user behavors based on machne learnng[j]. The Journal of Chna Unverstes of Post and Telecommuncatons, 2006, 13(2): 61 65. [15] Tan Xnguang, Gao Lzh, Sun Chunla, et al. Anomaly detecton of program behavor based on system calls and Markov chans[j]. Journal of Computer Research and Development, 2007, 44(9): 1538 1544. [16] Ye N, Emran S M, Chen Q. Multvarate statstcal analyss of audt trals for host-based ntruson detecton[j]. IEEE Transactons on Computers, 2002, 51(7): 810 820. [17] Yan Qao, Xe Wexn, Yang Bn. An anomaly ntruson detecton method based on HMM[J]. Electroncs Letters, 2002, 38(13): 663 664. 附中文参考文献 : [12],,. :, ZL200510056934[P]. 2005-03-23. [13],,,. [J]., 2007, 30(8): 1398 1408. [15],,,. Markov [J]., 2007, 44(9): 1538 1544. TIAN Xnguang was born n 1976. He receved hs B.S., M.S. and Ph.D. degrees n Informaton and Communcaton Engneerng from Natonal Unversty of Defense Technology n 1998, 2001 and 2005 respectvely. He s currently a post-doctoral fellow at Insttute of Computng Technology, Chnese Academy of Scences, and s the senor member of CCF. Hs current research nterests nclude network securty, ntruson detecton and nformaton processng, etc. (1976 ),,, 1998 2001 2005,, ( ),,, 80, 8, CHENG Xueq was born n 1971. He receved hs Ph.D. degree n Computer Archtecture from Insttute of Computng Technology, Chnese Academy of Scences. He s currently a researcher and doctoral supervsor at Insttute of Computng Technology, Chnese Academy of Scences. Hs research nterests nclude network and nformaton securty, P2P computng, etc. (1971 ),,,,,,, P2P
510 Journal of Fronters of Computer Scence and Technology 2010, 4(6) CHEN Xaojuan was born n 1977. She receved her B.S. and M.S. degrees n Electronc Scence and Engneerng from Natonal Unversty of Defense Technology n 1998 and 2005 respectvely. She s currently a laboratory assstant at College of Computer and Informaton Engneerng, Bejng Technology and Busness Unversty. Her current research nterests nclude communcaton engneerng and dgtal sgnal processng, etc. (1977 ),,, 1998 2005,,, DUAN My was born n 1953. He receved hs Ph.D. degree n Computer Scence from Magdeburg Unversty, Germany, n 1995. He s now a researcher and Ph.D. supervsor at Insttute of Computng Technology, Chnese Academy of Scences, and the councl member of CCF. Hs research nterests nclude computer network and ntruson detecton, etc. 洣 (1953 ),,, 1995,, XU Hongbo was born n 1975. He receved hs Ph.D. degree from Insttute of Computng Technology, Chnese Academy of Scences. He s now an assocate researcher at Insttute of Computng Technology, Chnese Academy of Scences. Hs research nterests nclude nformaton retreval, text mnng and natural language processng, etc. (1975 ),,, 2003,,,