基于shell命令的内部攻击检测

计算机与现代化 ›› 2021, Vol. 0 ›› Issue (01): 56-60.

基于shell命令的内部攻击检测

(华北电力大学(北京)控制与计算机工程学院，北京102206)

出版日期:2021-01-28 发布日期:2021-01-29
作者简介:陈明帅（1994—），男，河南灵宝人，硕士研究生，研究方向：网络信息安全，E-mail: 871001691@qq.com；吴克河（1962—），男，江苏镇江人，教授，博士，研究方向：智能电网软件技术，电力信息安全。
基金资助:
国家电网总部科技项目（SGGR0000XTJS1900905）

Internal Attack Detection Based on Shell Command

(School of Control and Computer Engineering， North China Electric Power University， Beijing 102206， China)

Online:2021-01-28 Published:2021-01-29

摘要/Abstract

摘要： 信息系统不仅面临着外部攻击的威胁，同时也面临着来自系统内部的威胁。本文针对系统内部攻击，首先对信息系统的内部威胁和内部攻击进行简要阐述和分析。基于用户操作行为的一般规律，提出几种检测模型，通过对比检测结果找出检测效果好的检测模型。基于SEA公开数据集，采用词袋、TF-IDF、词汇表以及N-Gram几种方法进行特征提取，使用不同的机器学习算法建立检测模型，包括XGBoost算法、隐式马尔可夫和多层感知机(MLP)。结果显示：测试样本采用词袋+N-Gram特征模型和XGBoost学习算法的精确率和召回率较高，检测效果最好。

关键词: 内部攻击检测, 极端梯度提升决策树, 多层感知机, 隐式马尔可夫

Abstract: Information system not only faces the threat of external attack, but also faces the threat from the internal system. In this paper, aiming at the internal attacks of the system, the internal threats and internal attacks of the information system are briefly described and analyzed. Based on the general rules of user’s operation behavior, this paper proposes several detection models, and finds out a good detection model by comparing the detection results. Based on SEA open data set, feature extraction uses several methods, such as word bag, TF-IDF, vocabulary and N-Gram, and uses different machine learning algorithms to build detection model, including XGBoost algorithm, implicit Markov and multi-layer perceptron (MLP). The results show that the accuracy and recall rate of the test samples using the word bag+N-Gram feature model and XGBoost learning algorithm are high, and the detection effect is the best.

Key words: internal attack detection, XGBoost(extreme gradient boosting), MLP(multi-layer perceptron), implicit Markov

陈明帅, 吴克河. 基于shell命令的内部攻击检测[J]. 计算机与现代化, 2021, 0(01): 56-60.

CHEN Ming-shuai, WU Ke-he. Internal Attack Detection Based on Shell Command[J]. Computer and Modernization, 2021, 0(01): 56-60.

参考文献［22］

［1］	吴良秋. 浅析网络内部威胁［J］. 计算机时代, 2019(6):41-45.
［2］	王振辉,王振铎,姚全珠. 信息系统内部威胁检测技术研究［J］. 计算机系统应用, 2019,28(12):219-225.
［3］	SCHONLAU M, DUMOUCHEL W, JU W H, et al. Computer intrusion: Detecting masquerades［J］. Statistical Science, 2001,16(1):58-74.
［4］	杨光,吴钰. 内部攻击实验数据集浅析［J］. 电脑知识与技术, 2016,12(21):55-56.
［5］	MAXION R A, TOWNSEND T N. Masquerade detection using truncated command lines ［C］// Proceedings of the 2002 IEEE International Conference on Dependable Systems and Networks. 2002:219-228.
［6］	MAXION R A. Masquerade detection using enriched command lines［C］// Proceedings of the 2003 IEEE International Conference on Dependable Systems and Networks. 2003:5-14.
［7］	YUNG K H. Using self-consistent Naive-Bayes to detect masquerades［C］// Proceedings of the 8th Pacific-Asia Conference on Knowledge Discovery & Data Mining. 2004:329-340.
［8］	KIM H S, CHA S D. Empirical evaluation of SVM-based masquerade detection using UNIX commands［J］. Computers & Security, 2005,24(2):160-168.
［9］	汤雨欢,施勇,薛质. 基于用户命令序列的伪装入侵检测［J］. 通信技术, 2018,51(5):1148-1153.
［10］	田新广,段洣毅,程学旗. 基于shell命令和多重行为模式挖掘的用户伪装攻击检测［J］. 计算机学报, 2010,33(4):697-705.
［11］	王一丰,郭渊博,李涛,等. 一种小样本下的内部威胁检测方法研究［J］. 小型微型计算机系统, 2019,40(11):2330-2336.
［12］	WU H C, HUANG S H S. Masquerade detection using command prediction and association rules mining［C］// Proceedings of the 2009 IEEE International Conference on Advanced Information Networking and Applications. 2009:552-559.
［13］	田原. 基于深度学习的内部威胁检测方法研究［D］. 北京:北京工业大学, 2019.
［14］	Carnegie Mellon University. The SEI: The Leader in Software Engineering and Cyberseainty［EB/OL］. ［2020-04-20］. https://www.sei.cmu.edu.
［15］	肖喜,翟起滨,田新广,等. 基于Shell命令和多阶Markov链模型的用户伪装攻击检测［J］. 电子学报, 2011,39(5):1199-1204.
［16］	The UCI KDD Archive. KDD Cup 1999 Data［EB/OL］. ［2020-04-20］. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
［17］	SALEM M B, HERSHKOP S, STOLFO S J. A survey of insider attack detection research［M］// Advances in Information Security. Springer, 2008,39:69-90.
［18］	BENITO CAMIA J, HERNNDEZ-GRACIDAS C, MONROY R, et al. The Windows-users and -intruder simulations logs dataset (WUIL): An experimental framework for masquerade detection mechanisms［J］. Expert Systems with Applications, 2014,41(3):919-930.
［19］	郭晓明,孙丹. 基于朴素贝叶斯理论的内部威胁检测方法［J］. 计算机与现代化, 2017(7):101-106.
［20］	SPARCK JONES K. A statistical interpretation of term specificity and its application in retrieval［J］. Journal of Documentation, 1972,28(1):11-21.
［21］	CHEN T Q, GUESTRIN C. XGBoost: A scalable tree boosting system［C］// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. ACM, 2016:785-794.
［22］	ROSENBLATT F. Principles of Neurodynamics: Perceptrons and the Theory of Brain Mechanisms［M］. Spartan Book, 1962.