全特征信息均衡建模的内部威胁人物检测

doi:10.3785/j.issn.1008-973X.2019.04.019

浙江大学学报(工学版)

2019, Vol. 53

Issue (4): 777-784 DOI: 10.3785/j.issn.1008-973X.2019.04.019

自动化技术

全特征信息均衡建模的内部威胁人物检测

刘宇(

),罗森林,曲乐炜,潘丽敏*,张笈

北京理工大学信息与电子学院，北京 100081

Full-featured information equalization modeling for insider threat detection

Yu LIU(

),Sen-lin LUO,Le-wei QU,Li-min PAN*,Ji ZHANG

School of Information and Electronics, Beijing Institute of Technology, Beijing 100081, China

全文: PDF(833 KB) HTML

摘要：

针对目前内部威胁人物检测准确率低及高维数据特征信息利用不全的问题，提出全特征信息均衡建模的内部威胁人物检测方法. 该方法对组织内部产生的多源数据进行特征提取和构建，通过对所有特征进行交叉分组，利用交叉分组后的特征进行孤立森林模型构建，提高模型构建过程中对数据特征信息利用的均衡性，利用生成的孤立森林模型进行内部威胁人物检测. 实验结果表明，该方法在CERT-IT（v4.2）内部威胁人物数据集上具有较高F₁，且算法效率高，能够有效地用于内部威胁人物检测.

关键词： 内部威胁人物; 异常检测; 孤立森林算法; 交叉分组; 行为日志

Abstract:

A method that used full-featured information equalization modeling for insider threat detection was proposed in view of the current problems of low accuracy of insider threat detection and incomplete utilization of high-dimensional data feature information. The features of the multi-source data generated within the organization were extracted and constructed. Then all the features were cross-grouped, and the cross-grouped features were used to construct the isolation forest model with improving the balance of the use of data feature information in the process of model building. The generated isolation forest model was used for insider threat detection. The experimental results show that the method has a higher F₁ value on the CERT-IT (v4.2) insider threat figures data set, and the efficiency of the algorithm is high. The algorithm can be effectively used for insider threat detection.

Key words: insider threat anomaly detection isolation forest algorithm cross-grouping behavior log

收稿日期: 2018-03-30 出版日期: 2019-03-28

CLC:

TP 399

通讯作者: 潘丽敏 E-mail: yuliu0319@gmail.com

作者简介: 刘宇(1993—)，男，硕士生，从事信息安全的研究. orcid.org/0000-0003-3726-6702. E-mail: yuliu0319@gmail.com

	服务
	把本文推荐给朋友
	加入引用管理器
	E-mail Alert
	作者相关文章
	刘宇
	罗森林
	曲乐炜
	潘丽敏
	张笈

引用本文:

刘宇,罗森林,曲乐炜,潘丽敏,张笈. 全特征信息均衡建模的内部威胁人物检测[J]. 浙江大学学报(工学版), 2019, 53(4): 777-784.

Yu LIU,Sen-lin LUO,Le-wei QU,Li-min PAN,Ji ZHANG. Full-featured information equalization modeling for insider threat detection. Journal of ZheJiang University (Engineering Science), 2019, 53(4): 777-784.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2019.04.019 或 http://www.zjujournals.com/eng/CN/Y2019/V53/I4/777

图 1 内部威胁人物检测方法原理图

表 1 CERT-IT数据源详细信息

表 2 用于内部威胁人物检测评价指标计算的混淆矩阵

图 2 均衡建模交叉因子选择实验结果

图 3 全特征信息均衡建模对比实验结果

图 4 内部威胁人物检测效果对比实验结果

表 3 内部威胁人物检测算法运行时间对比实验结果

1	COOPERS P. Turnaround and transformation in cyber security: key findings from the global state of information security survey 2016 [EB/OL]. [2018-06-12]. https://www.pwc.com/sg/en/publications/assets/pwc-global-state-of-information-security-survey-2016.pdf.
2	FORCEPOINT Security team. 2016 global threat report [R/OL].[2018-06-12]. https://www.forcepoint.com/sites/default/files/resources/files/forcepoint_2016_global_threat_report_en_0.pdf.
3	CAPPELLI D M, MOORE A P, TRZECIAK R F. The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes [M]. Boston: Wesley, 2012.
4	ALAHMADI B A, LEGG P A, NURSE J R C. Using Internet activity profiling for insider-threat detection [C] // International Workshop on Security in Information Systems. Barcelona: ICEIS, 2015: 709–720.
5	KAMMüLLER F, PROBST C W Modeling and verification of insider threats using logical analysis[J]. IEEE Systems Journal, 2017, 11 (2): 534- 545 doi: 10.1109/JSYST.2015.2453215
6	黄铁, 张奋基于隐马尔可夫模型的内部威胁检测方法[J]. 计算机工程与设计, 2010, 31 (5): 965- 968 HUANG Tie, ZHANG Fen Method of insider threat detection based on hidden Markov model[J]. Computer Engineering and Design, 2010, 31 (5): 965- 968
7	ELDARDIRY H, BART E, LIU J, et al. Multi-domain information fusion for insider threat detection [C] // 2013 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2013: 45–51.
8	MESSERMAN A, MUSTAFI? T, CAMTEPE S A, et al. Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics [C] // International Joint Conference on Biometrics. Washington DC: IEEE, 2011: 1–8.
9	李全刚, 时金桥, 秦志光, 等面向邮件网络事件检测的用户行为模式挖掘[J]. 计算机学报, 2014, (5): 1135- 1146 LI Quan-gang, SHI Jin-qiao, QIN Zhi-guang, et al Mining user behavior patterns for event detection in Email networks[J]. Chinese Journal of Computers, 2014, (5): 1135- 1146
10	CAMINA J B, HERNANDEZ-GRACIDAS C, MONROY R, et al The Windows-users and intruder simulations logs dataset (WUIL): an experimental framework for masquerade detection mechanisms[J]. Expert Systems with Applications, 2014, 41 (3): 919- 930 doi: 10.1016/j.eswa.2013.08.022
11	文雨, 王伟平, 孟丹面向内部威胁检测的用户跨域行为模式挖掘[J]. 计算机学报, 2016, 39 (8): 1555- 1569 WEN Yu, WANG Wei-ping, MENG Dan Mining user cross-domain behavior patterns for insider threat detection[J]. Chinese Journal of Computers, 2016, 39 (8): 1555- 1569
12	BRDICZKA O, LIU J, PRICE B, et al. Proactive insider threat detection through graph learning and psychological context [C] // 2012 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2012: 142–149.
13	GLASSER J, LINDAUER B. Bridging the gap: a pragmatic approach to generating insider threat data [C] // 2013 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2013: 98–104.

[1]	魏媛,冯天恒,黄平捷,侯迪波,张光新. 管网水质多指标动态关联异常检测方法[J]. 浙江大学学报(工学版), 2016, 50(7): 1402-1409.
[2]	何慧梅, 侯迪波, 赵海峰, 黄平捷, 张光新. 基于多因子融合的水质异常检测算法[J]. J4, 2013, 47(4): 735-740.
[3]	黄金钟朱淼良郭晔. 基于文法的异常检测[J]. J4, 2006, 40(2): 243-248.

Viewed

Full text

Abstract

Cited

Shared

Discussed