Internal Attack Detection Based on Shell Command

Abstract

Abstract: Information system not only faces the threat of external attack, but also faces the threat from the internal system. In this paper, aiming at the internal attacks of the system, the internal threats and internal attacks of the information system are briefly described and analyzed. Based on the general rules of user’s operation behavior, this paper proposes several detection models, and finds out a good detection model by comparing the detection results. Based on SEA open data set, feature extraction uses several methods, such as word bag, TF-IDF, vocabulary and N-Gram, and uses different machine learning algorithms to build detection model, including XGBoost algorithm, implicit Markov and multi-layer perceptron (MLP). The results show that the accuracy and recall rate of the test samples using the word bag+N-Gram feature model and XGBoost learning algorithm are high, and the detection effect is the best.

Key words: internal attack detection, XGBoost(extreme gradient boosting), MLP(multi-layer perceptron), implicit Markov

CHEN Ming-shuai, WU Ke-he. Internal Attack Detection Based on Shell Command[J]. Computer and Modernization, 2021, 0(01): 56-60.

References ［22］

［1］	吴良秋. 浅析网络内部威胁［J］. 计算机时代, 2019(6):41-45.
［2］	王振辉,王振铎,姚全珠. 信息系统内部威胁检测技术研究［J］. 计算机系统应用, 2019,28(12):219-225.
［3］	SCHONLAU M, DUMOUCHEL W, JU W H, et al. Computer intrusion: Detecting masquerades［J］. Statistical Science, 2001,16(1):58-74.
［4］	杨光,吴钰. 内部攻击实验数据集浅析［J］. 电脑知识与技术, 2016,12(21):55-56.
［5］	MAXION R A, TOWNSEND T N. Masquerade detection using truncated command lines ［C］// Proceedings of the 2002 IEEE International Conference on Dependable Systems and Networks. 2002:219-228.
［6］	MAXION R A. Masquerade detection using enriched command lines［C］// Proceedings of the 2003 IEEE International Conference on Dependable Systems and Networks. 2003:5-14.
［7］	YUNG K H. Using self-consistent Naive-Bayes to detect masquerades［C］// Proceedings of the 8th Pacific-Asia Conference on Knowledge Discovery & Data Mining. 2004:329-340.
［8］	KIM H S, CHA S D. Empirical evaluation of SVM-based masquerade detection using UNIX commands［J］. Computers & Security, 2005,24(2):160-168.
［9］	汤雨欢,施勇,薛质. 基于用户命令序列的伪装入侵检测［J］. 通信技术, 2018,51(5):1148-1153.
［10］	田新广,段洣毅,程学旗. 基于shell命令和多重行为模式挖掘的用户伪装攻击检测［J］. 计算机学报, 2010,33(4):697-705.
［11］	王一丰,郭渊博,李涛,等. 一种小样本下的内部威胁检测方法研究［J］. 小型微型计算机系统, 2019,40(11):2330-2336.
［12］	WU H C, HUANG S H S. Masquerade detection using command prediction and association rules mining［C］// Proceedings of the 2009 IEEE International Conference on Advanced Information Networking and Applications. 2009:552-559.
［13］	田原. 基于深度学习的内部威胁检测方法研究［D］. 北京:北京工业大学, 2019.
［14］	Carnegie Mellon University. The SEI: The Leader in Software Engineering and Cyberseainty［EB/OL］. ［2020-04-20］. https://www.sei.cmu.edu.
［15］	肖喜,翟起滨,田新广,等. 基于Shell命令和多阶Markov链模型的用户伪装攻击检测［J］. 电子学报, 2011,39(5):1199-1204.
［16］	The UCI KDD Archive. KDD Cup 1999 Data［EB/OL］. ［2020-04-20］. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html.
［17］	SALEM M B, HERSHKOP S, STOLFO S J. A survey of insider attack detection research［M］// Advances in Information Security. Springer, 2008,39:69-90.
［18］	BENITO CAMIA J, HERNNDEZ-GRACIDAS C, MONROY R, et al. The Windows-users and -intruder simulations logs dataset (WUIL): An experimental framework for masquerade detection mechanisms［J］. Expert Systems with Applications, 2014,41(3):919-930.
［19］	郭晓明,孙丹. 基于朴素贝叶斯理论的内部威胁检测方法［J］. 计算机与现代化, 2017(7):101-106.
［20］	SPARCK JONES K. A statistical interpretation of term specificity and its application in retrieval［J］. Journal of Documentation, 1972,28(1):11-21.
［21］	CHEN T Q, GUESTRIN C. XGBoost: A scalable tree boosting system［C］// Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. ACM, 2016:785-794.
［22］	ROSENBLATT F. Principles of Neurodynamics: Perceptrons and the Theory of Brain Mechanisms［M］. Spartan Book, 1962.