You are viewing a javascript disabled version of the site. Please enable Javascript for this site to function properly.
Go to headerGo to navigationGo to searchGo to contentsGo to footer
In content section. Select this link to jump to navigation

Real-time anomaly attack detection based on an improved variable length model

Article type: Research Article

Authors: Liu, Xiaomei* | Yue, Jianlong

Affiliations: School of Information Management, Beijing Information Science and Technology University, Beijing, China

Correspondence: [*] Corresponding author: Xiaomei Liu, School of Information Management, Beijing Information Science and Technology University, Beijing 100101, China. E-mail: [email protected].

Abstract: This paper uses a real-time anomaly attack detection based on improved variable length sequences and data mining. The method is mainly used for host-based intrusion detection systems on Linux or Unix platforms which use shell commands. The algorithm first generates a stream of command sequences with different lengths and subsumes them into a generic sequence library, de-duplicats and sortes shell command sequences. The shell command sequences are then stratified according to their weighted frequency of occurrence to define the state. Next, the behavioural patterns of normal users are mined to output the state stream and a Markov chain is constructed. Then, the state sequences are calculated based on a primary probability distribution and a transfer probability matrix. The System will check decision values of the short sequence stream. Finally, the decision values of the behavioural sequences are analysed to determine whether the current session user is behaving abnormally. The improved algorithm introduces the concept of multi-order frequencies and proposes a new separation mechanism. The extension module is integrated into the variable length model. By comparing the performance of the old and new separation mechanisms on the SEA dataset and the self-made dataset (SD), it is found that the improved model greatly improves the performance of the model and shortens the running time.

Keywords: Variable length model, Markov, new separation mechanism, weighted frequency

DOI: 10.3233/JCM-226663

Journal: Journal of Computational Methods in Sciences and Engineering, vol. 23, no. 3, pp. 1179-1195, 2023

Published: 30 May 2023
Price: EUR 27.50
Show more