信息网络安全 ›› 2021, Vol. 21 ›› Issue (5): 31-38.doi: 10.3969/j.issn.1671-1122.2021.05.004

• 技术研究 • 上一篇    下一篇

基于Linux Shell命令的用户异常操作检测方法研究

吴驰, 帅俊岚, 龙涛, 于俊清()   

  1. 华中科技大学网络与计算中心,武汉 430074
  • 收稿日期:2020-11-15 出版日期:2021-05-10 发布日期:2021-06-22
  • 通讯作者: 于俊清 E-mail:yjqing@hust.edu.cn
  • 作者简介:吴驰(1976—),男,湖北,高级工程师,硕士,主要研究方向为教育信息化、网络安全|帅俊岚(1996—),男,江西,硕士研究生,主要研究方向为入侵检测|龙涛(1974—),男,湖北,高级工程师,博士,主要研究方向为计算机软件和分布式计算|于俊清(1975—),男,内蒙古,教授、博士,主要研究方向为数字媒体处理与检索、网络安全、多核计算与流编译
  • 基金资助:
    国家重点研发计划(2017YFB0801703);赛尔网络下一代互联网技术创新基金(NGII20170408)

Research on Detection Method of User Abnormal Operation Based on Linux Shell Commands

WU Chi, SHUAI Junlan, LONG Tao, YU Junqing()   

  1. Network and Computation Center, Huazhong University of Science and Technology, Wuhan, 430074, China
  • Received:2020-11-15 Online:2021-05-10 Published:2021-06-22
  • Contact: YU Junqing E-mail:yjqing@hust.edu.cn

摘要:

针对数据中心安全需求,文章研究并设计了基于规则和基于命令序列的两种异常操作检测方法,在此基础上实现了基于Linux Shell命令的异常操作检测系统。基于规则的异常操作检测方法通过设计规则库匹配算法对被监测用户执行的Shell命令进行检测。基于命令序列的异常操作检测方法以合法用户历史命令序列为训练集构建用户行为特征库,使用异常命令序列检测算法判定被监测用户操作是否存在异常。实验结果表明,在高校数据中心环境中,基于规则的异常操作检测方法有较高的检测效率,基于命令序列的异常操作检测方法有较高的检测准确率,能够满足数据中心对用户执行Shell命令的异常检测需求。

关键词: Linux Shell, 异常检测, 规则库, 命令序列

Abstract:

Aiming at the security requirements of data center, this paper studies and designs two kinds of abnormal operation detection methods based on rule and command sequence, and realizes the abnormal operation detection system based on Linux Shell commands. In the rule-based abnormal operation detection method module, a rule base matching algorithm is designed to detect the Shell commands executed by the monitored users. In the module of abnormal operation detection method based on command sequence, the user behavior feature library is constructed with the legal user history command sequence as the training set, and the abnormal operation detection algorithm based on abnormal command sequence is used to determine whether the monitored user operation is abnormal. The experimental results show that in the university data center environment, the rule-based abnormal operation detection method has high detection efficiency, and the command sequence based abnormal operation detection method has high detection accuracy, which can meet the abnormal detection requirements of the data center for users to execute Shell commands.

Key words: Linux Shell, abnormaly detection, rule base, command sequence

中图分类号: