Masquerade detection is currently an active research topic in the field of network security. This paper presents a novel method for detecting masquerade attacks based on hidden Markov models (HMMs), which applies to host-based intrusion detection systems using Unix or Linux shell commands as audit data. The method employs multiple command sequences of different lengths to represent the behavioral patterns of a legitimate user and constructs a specific HMM to characterize the normal behavior profile of the user. Moreover, the adaptability and precision of user profiling are definitely taken into account. During training, the parameters of the HMM are calculated by parallel computing that is less computationally expensive than the classic Baum-Welch algorithm. At the detection stage, the occurrence probabilities of short state sequences are first computed to analyze behavior deviations that may indicate masquerade attacks, and two alternative decision schemes can be used to classify the monitored user’s behavior as normal or anomalous. The method addresses both detection accuracy and computational efficiency and is especially suitable for online detection. Our study empirically demonstrates the promising performance of the method.

伪装检测是当前在网络安全领域中活跃的研究主题。本文提出了一种基于隐马尔可夫模型（HMM）的伪装攻击检测方法，该方法适用于使用Unix或Linux Shell命令作为审核数据的基于主机的入侵检测系统。该方法采用不同长度的多个命令序列来表示合法用户的行为模式，并构造一个特定的HMM来表征用户的正常行为特征。而且，绝对要考虑用户配置文件的适应性和准确性。在训练期间，HMM的参数是通过并行计算来计算的，而并行计算的计算量比经典的Baum-Welch算法要便宜。在检测阶段，首先，要计算短状态序列的出现概率，以分析可能表示化装舞会的行为偏差，并且可以使用两种替代决策方案将受监视用户的行为分类为正常还是异常。该方法兼具检测精度和计算效率，特别适合在线检测。我们的研究从经验上证明了该方法的前景。