What is it about?

This paper uses a real-time anomaly attack detection based on improved variable length sequences and data mining. The method is mainly used for host-based intrusion detection systems on Linux or Unix platforms which use shell commands. The algorithm first generates a stream of command sequences with different lengths and subsumes them into a generic sequence library, de-duplicats and sortes shell command sequences.

Featured Image

Why is it important?

The shell command sequences are then stratified according to their weighted frequency of occurrence to define the state. Next, the behavioural patterns of normal users are mined to output the state stream and a Markov chain is constructed.Then, the state sequences are calculated based on a primary probability distribution and a transfer probability matrix . The System will check decision values of the short sequence stream. Finally, the decision values of the behavioural sequences are analysed to determine whether the current session user is behaving abnormally.

Perspectives

The improved algorithm introduces the concept of multi-order frequencies and proposes a new separation mechanism. The extension module is integrated into the variable length model. By comparing the performance of the old and new separation mechanisms on the SEA dataset and the self-made dataset (SD), it is found that the improved model greatly improves the performance of the model and shortens the running time.

Liu Xiaomei

Read the Original

This page is a summary of: Real-time anomaly attack detection based on an improved variable length model, Journal of Computational Methods in Sciences and Engineering, May 2023, IOS Press,
DOI: 10.3233/jcm-226663.
You can read the full text:

Read

Contributors

The following have contributed to this page