中文摘要：

异常检测是目前网络入侵检测领域研究的热点内容．提出一种基于shell命令和隐Markov模型（HMM）的网络用户行为异常检测方法，该方法利用shell会话中用户执行的shell命令作为原始审计数据，采用特殊的HMM在用户界面层建立网络合法用户的正常行为轮廓．HMM的训练中采用了运算量较小的序列匹配方法，与传统的Baum—Welch训练算法相比，训练时间有较大幅度的降低．在检测阶段，基于状态序列出现概率对被监测用户当前行为的异常程度进行分析，并考虑到审计数据和用户行为的特点，采用了较为特殊的判决准则．同现有的基于HMM和基于实例学习的检测方法相比，文中提出的方法兼顾了计算成本和检测准确度，特别适用于在线检测．该方法已应用于实际入侵检测系统，并表现出良好的检测性能．

英文摘要：

Anomaly detection is an active research topic in network intrusion detection. This paper presents a novel method for detecting anomalous user behavior based on shell commands and hidden Markov models （HMM）. The method constructs a specific HMM to represent the normal behavior profile of a network user, and associates classes of user behavior patterns with states of the HMM. The HMM parameters are calculated with a sequence matching algorithm which is much simpler than the classical Baum-Weleh algorithm. This reduces computational complexity to a great extent. At the detection stage, a decision rule based on probabilities of short state sequences is adopted, and more than one threshold are used to classify the user behavior. Performance of the method is tested in computer simulation, showing high detection accuracy and efficiency.