Host User Behavior-based Intrusion Detection Technology Research

With the rapid development of computer and network technologies, computer system has been developed to a complicated and interconnected opening system, which result in more serious problems of intrusion detection. Intrusion detection technology as an effective measure is becoming a hotspot of Network Security areas. Under such condition, the researching of intrusion based on user behavior data from host is introduced in details in this paper. And some key technologies such as algorithm of detection are analyzed and discussed.First, general analysis of the technologies and the methods of the intrusion detection are made in this paper, then the research of user behavior data from host is given. Based on the difference of operating system, we use the different methods. In Linux, we use the log information. In windows, we get API function by using the detours .By analyzing the data from different operating system, the paper discusses the process of setting up the database of intrusion detection. The process of standardization and filtration are analyzed and discussed in this paper.Then, we analyze the algorithm of detection. This algorithm is a hard point during the implementation of system and also a key point in this paper. Most of the intrusion detection is beginning at the analysis of user command sequence. In fact, it becomes a logic process of intrusion detection. This kind of analysis is similar to sequence alignment. Based on the research of this comparability, we use the characteristic of intrusion to modify the Smith Waterman algorithm. This modified algorithm is consisting of special setting of score function and the special choosing of training data. At last, we test the algorithm with standard data and the collecting data, and we analyze the result in chiefly three aspects: the choosing of threshold, the choosing of score function and three parameters of this testing. By compare of six different algorithms, our modified algorithm can raise the hit rate effectively and can be use in real-time detection.