Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2020, Vol. 54 Issue (9): 1761-1767    DOI: 10.3785/j.issn.1008-973X.2020.09.012
    
Risky accounts evaluation method of campus network
Huang-yao ZENG1(),Dan-dan LI1,Yan MA1,*(),Qun CONG2
1. Information Network Center, Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
2. Beijing Wrdtech Co. Ltd, Beijing 100082, China
Download: HTML     PDF(1156KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

The proposed method located risky accounts by detecting risky devices based on the URL access logs of the accounts; and the access behavior characteristics, such as the dispersion of device occurrences, the device multi-account risk level, and the percentage of charged networks, were extracted and quantified into feature vector sets. The set of feature vectors was clustered using a Gaussian mixed model (GMM) to obtain the probability of abnormal device access behavior. The similarity of URLs accessed by similar devices under the same account was calculated with the modified cosine similarity algorithm. The results of GMM and the modified cosine similarity were combined to give the evaluation results of risky accounts. The experimental results show that the method can achieve the detection rate of 85% with the false alarm rate of less than 5%, which helps to detect risky accounts promptly in campus network environment with a small range of IP addresses and infrequent account logins.

Key wordsuniform resource locator (URL)      campus network      risk assessment      Gaussian mixture model (GMM)      cosine similarity     
Received: 30 July 2019      Published: 22 September 2020
CLC:  TP 302  
Corresponding Authors: Yan MA     E-mail: molunerfinn@gmail.com;mayan@bupt.edu.cn
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Huang-yao ZENG
Dan-dan LI
Yan MA
Qun CONG
Cite this article:

Huang-yao ZENG,Dan-dan LI,Yan MA,Qun CONG. Risky accounts evaluation method of campus network. Journal of ZheJiang University (Engineering Science), 2020, 54(9): 1761-1767.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2020.09.012     OR     http://www.zjujournals.com/eng/Y2020/V54/I9/1761


园区网风险账号评估方法

基于账号的URL访问日志,通过检测风险设备定位风险账号;提取设备出现次数离散度、设备多账号风险度、收费网络占比等访问行为特征,将其量化为特征向量集;利用高斯混合模型(GMM)将所得到的特征向量集进行聚类,得出设备有异常访问行为的概率. 使用修正余弦相似度算法计算同一账号下同类设备访问URL的相似程度. 综合高斯混合模型的聚类结果和修正余弦相似度的计算结果得到风险账号的评估结果. 实验结果表明,该方法在误报率低于5%的同时达到85%的检出率,可以在IP地址范围较小、账号登录频率不高的园区网环境下及时发现风险账号.


关键词: 统一资源定位符(URL),  园区网,  风险评估,  高斯混合模型(GMM),  余弦相似度 
字段 含义
TIME 访问时间
LABEL 访问标签
MAC 设备MAC地址
URL 访问URL地址
DEVICE 设备类型
POS 设备访问地理位置信息
USER 用户账号
IP 设备访问的IP地址
SSID 设备访问的服务集标识
Tab.1 Storage field of user URL access log dataset
真实结果/聚类结果 有风险 无风险
有风险 TP=11 737 FN=2 044
无风险 FP=11 573 TN=73 121
Tab.2 Results of Gaussian mixed model (GMM) clustering
Fig.1 Values of 2,000 samples randomly selected on dispersion of device occurrences
Fig.2 Values of 2,000 samples randomly selected on device multi-account risk level
Fig.3 Values of 2,000 samples randomly selected on percentage of charged network
Fig.4 Proportion of 2,000 samples randomly selected on opposing position risk levels
Fig.5 Values of 2,000 samples randomly selected on similarity of device access URLs
[1]   白阳 高校园区网的规划与构建[J]. 航海教育研究, 2010, 27 (1): 111- 112
BAI Yang Planning and construction of university campus network[J]. Maritime Education Research, 2010, 27 (1): 111- 112
doi: 10.3969/j.issn.1006-8724.2010.01.043
[2]   WANG D, WANG P Two birds with one stone: two-factor authentication with security beyond conventional bound[J]. IEEE Transactions on Dependable and Secure Computing, 2018, 15 (4): 708- 722
[3]   MILLS J U, STUBAN S M F, DEVER J Predict insider threats using human behaviors[J]. IEEE Engineering Management Review, 2017, 45 (1): 39- 48
doi: 10.1109/EMR.2017.2667218
[4]   SIADATI H, SAKET B, MEMON N. Detecting malicious logins in enterprise networks using visualization [C] // 2016 IEEE Symposium on Visualization for Cyber Security (VizSec). Baltimore: IEEE, 2016: 1-8.
[5]   ZHOU Y, KIM D W, ZHANG J, et al Proguard: detecting malicious accounts in social-network-based online promotions[J]. IEEE Access, 2017, 5: 1990- 1999
doi: 10.1109/ACCESS.2017.2654272
[6]   FREEMAN D, JAIN S, DURMUTH M, et al. Who Are You? A statistical approach to measuring user authenticity [C] // The Network and Distributed System Security Symposium (NDSS) 2016. San Diego: NDSS, 2016: 1-15.
[7]   章思宇, 黄保青, 姜开达 统一身份认证日志集中管理与账号风险检测[J]. 东南大学学报: 自然科学版, 2017, 47 (S1): 113- 117
ZHANG Si-yu, HUANG Bao-qing, JIANG Kai-da Unified identity authentication log centralized management and account risk detection[J]. Journal of Southeast University: Natural Science Edition, 2017, 47 (S1): 113- 117
[8]   陈嵩, 王怡 高校统一身份认证中的账号安全研究[J]. 福建师大福清分校学报, 2017, (4): 100- 105
CHEN Song, WANG Yi Research on account security in university unified identity authentication[J]. Journal of Fujian Normal University Fuqing Branch, 2017, (4): 100- 105
doi: 10.3969/j.issn.1008-3421.2017.04.019
[9]   聂荣, 余建国, 张洪欣, 等 IP地址地理位置映射技术[J]. 计算机工程, 2008, 34 (15): 102- 104
NIE Rong, YU Jian-guo, ZHANG Hong-xin, et al IP address geolocation mapping technology[J]. Computer Engineering, 2008, 34 (15): 102- 104
doi: 10.3969/j.issn.1000-3428.2008.15.036
[10]   STAUFFER C, GRIMSON W E L. Adaptive background mixture models for real-time tracking [C] // Proceedings of 1999 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (Cat. No PR00149). Fort Collins: IEEE, 1999: 246-252.
[11]   岳佳, 王士同 高斯混合模型聚类中EM算法及初始化的研究[J]. 微计算机信息, 2006, (33): 244- 246
YUE Jia, WANG Shi-tong Research on EM algorithm and initialization in Gaussian mixture model clustering[J]. Microcomputer information, 2006, (33): 244- 246
doi: 10.3969/j.issn.1008-0570.2006.33.086
[12]   王源, 陈亚军 基于高斯混合模型的EM学习算法[J]. 山西师范大学学报: 自然科学版, 2005, 19 (1): 46- 49
WANG Yuan, CHEN Ya-jun EM learning algorithm based on Gaussian mixture model[J]. Journal of Shanxi Normal University: Natural Science Edition, 2005, 19 (1): 46- 49
[13]   武光达, 蒋朝惠 基于 DPI 的流量识别系统的研究[J]. 信息网络安全, 2014, 14 (10): 44- 48
WU Guang-da, JIANG Zhao-hui Research on DPI-based traffic identification system[J]. Information Network Security, 2014, 14 (10): 44- 48
doi: 10.3969/j.issn.1671-1122.2014.10.008
[14]   马宏伟, 张光卫, 李鹏 协同过滤推荐算法综述[J]. 小型微型计算机系统, 2009, 30 (7): 1282- 1288
MA Hong-wei, ZHANG Guang-wei, LI Peng A survey of collaborative filtering recommendation algorithms[J]. Small Microcomputer System, 2009, 30 (7): 1282- 1288
[15]   邢春晓, 高凤荣, 战思南, 等 适应用户兴趣变化的协同过滤推荐算法[J]. 计算机研究与发展, 2007, 44 (2): 296- 301
XING Chun-xiao, GAO Feng-rong, ZHAN Si-nan, et al Collaborative filtering recommendation algorithm adapted to changes in user interest[J]. Computer Research and Development, 2007, 44 (2): 296- 301
doi: 10.1360/crad20070216
[16]   DEHAK N, DEHAK R, GLASS J R, et al. Cosine similarity scoring without score normalization techniques [C] // The Speaker and Language Recognition Workshop (Odyssey 2010). Brno: IEEE, 2010: 71-75.
[17]   梁天一, 梁永全, 樊健聪, 等 基于用户兴趣模型的协同过滤推荐算法[J]. 计算机应用与软件, 2014, 31 (11): 260- 263
LIANG Tian-yi, LIANG Yong-quan, FAN Jian-cong, et al Collaborative filtering recommendation algorithm based on user interest model[J]. Computer Applications and Software, 2014, 31 (11): 260- 263
doi: 10.3969/j.issn.1000-386x.2014.11.066
[18]   JAIN A, NANDAKUMAR K, ROSS A Score normalization in multimodal biometric systems[J]. Pattern Recognition, 2005, 38 (12): 2270- 2285
doi: 10.1016/j.patcog.2005.01.012
[19]   孙德山 支持向量机分类与回归方法研究[J]. 中南大学学报, 2004, 35 (6): 13- 15
SUN De-shan Research on support vector machine classification and regression method[J]. Journal of Central South University, 2004, 35 (6): 13- 15
[1] XU Cheng, QU Zhao-wei, WANG Dian-hai, JIN Sheng. Speed distribution model for heterogeneous bicycle traffic flow[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(7): 1331-1338.
[2] ZHAO Xue-wu, JI Jun-zhong, YAO Yao. Insula functional parcellation by searching Gaussian mixture model (GMM) using immune clonal selection (ICS) algorithm[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(12): 2320-2331.
[3] LU Ying, GUO Liang-jie, HOU Yun-yue, ZHAO Yun-sheng, CHEN Lian-jin. Comprehensive multi-hazard risk assessment method applicated in urban land-use planning[J]. Journal of ZheJiang University (Engineering Science), 2015, 49(3): 538-546.
[4] ZHANG Xing-you, WANG Shou-xiang. Risk assessment of distribution power systems considering communication systems[J]. Journal of ZheJiang University (Engineering Science), 2014, 48(4): 568-574.