Research On Detection Method Of User Abnormal Operation Based On Linux Shell

As a kind of infrastructure,anomaly detection data center is widely used in all walks of life,and its security problems have also been widely concerned.Data center usually uses traditional security protection methods such as network firewall and user access control to defense the external intrusion.However,from the perspective of internal security protection mechanism of data center,these security protection methods are difficult to protect users from some abnormal operations,and the configuration and management are also complex.Aiming at the shortcomings of traditional security protection methods in data center,an anomaly detection system based on Linux Shell is designed and implemented,which includes three modules: log collection and preprocessing,rule-based anomaly detection and command sequence-based anomaly detection.The log collection and preprocessing module is used to collect the logs of the legal user's historical command and the monitored user's currentcommand.After the data preprocessing,it is converted into the command sequence,which is ready for the abnormal operation detection.In the rule-based exception detection module,the rule base model and management interface are implemented which facilitate the unified management of administrators.If commands executed by the monitored users are abnormal based on the rule base matching algorithm,the session is immediately interrupted.In the abnormal operation detection module based on the command sequence,the user behavior feature library is constructed by taking the history command sequence of legal user as the training set.Based on the abnormal command sequence detection algorithm,the similarity between the command sequence executed by the monitored user and the feature library of legal user is calculated,and similarity is used to determine whether the monitored user operation is abnormal.The experiment uses the log data on the server of the campus data center,and analyzes the rule-based abnormal operation detection and the command sequence-based abnormal operation detection from the two aspects of detection efficiency and detection accuracy.The experimental results show that the formor has a high detection efficiency,the laster has high detection accuracy,which meets the detection requirements of data center for users to execute Shell commands.However,the system for server network communication,resource use status and other indicators of anomaly detection needs further study.