Traditionally, researchers have focused on network level intrusion detection and program level intrusion detection to improve computer security. However, neither approach is foolproof. Typically, a successful attacker manifests in the form of the attacker becoming a user on the host either with elevated or normal user privileges. The reason for this situation is that current research and technology development have focused on external, not internal. At this point, user-level intrusion detection attempts to deter and curtail an attacker even after the system has been compromised. This paper proposed a novel method for anomaly detection of user behavior. Considering the complexity and fluctuation of user behavior, our method builds a finite automaton to profile the user’s normal behavior with closeness of commands within patterns and timing sequence and frequency information between patterns. This allows discrete data used for training to have a holistic structure that allows for a more accurate expression of the normal behavior of the user. In the detection stage, our method builds a threat evaluation system using fuzzy logic. Experimental results on data sets of Purdue University, SEA and self-collected data show that an accurate, effective and efficient detection can be achieved using the proposed approach.

传统上，研究人员专注于网络级入侵检测和程序级入侵检测，以提高计算机安全性。但是，这两种方法都不是万无一失的。通常，成功的攻击者表现为攻击者以提升的或正常的用户特权成为主机上的用户。造成这种情况的原因是当前的研究和技术开发集中在外部而不是内部。在这一点上，即使在系统受到威胁之后，用户级入侵检测仍会试图阻止并减少攻击者。本文提出了一种新的用户行为异常检测方法。考虑到用户行为的复杂性和波动性，我们的方法建立了一个有限的自动机，通过模式内命令的紧密性以及模式间的时序和频率信息来描述用户的正常行为。这允许用于训练的离散数据具有整体结构，从而可以更准确地表达用户的正常行为。在检测阶段，我们的方法使用模糊逻辑构建威胁评估系统。对普渡大学，SEA的数据集和自我收集的数据进行的实验结果表明，使用所提出的方法可以实现准确，有效和高效的检测。我们的方法使用模糊逻辑构建威胁评估系统。对普渡大学，SEA的数据集和自我收集的数据进行的实验结果表明，使用所提出的方法可以实现准确，有效和高效的检测。我们的方法使用模糊逻辑构建威胁评估系统。对普渡大学，SEA的数据集和自我收集的数据进行的实验结果表明，使用所提出的方法可以实现准确，有效和高效的检测。