Please wait a minute...
浙江大学学报(工学版)  2019, Vol. 53 Issue (4): 777-784    DOI: 10.3785/j.issn.1008-973X.2019.04.019
自动化技术     
全特征信息均衡建模的内部威胁人物检测
刘宇(),罗森林,曲乐炜,潘丽敏*,张笈
北京理工大学 信息与电子学院,北京 100081
Full-featured information equalization modeling for insider threat detection
Yu LIU(),Sen-lin LUO,Le-wei QU,Li-min PAN*,Ji ZHANG
School of Information and Electronics, Beijing Institute of Technology, Beijing 100081, China
 全文: PDF(833 KB)   HTML
摘要:

针对目前内部威胁人物检测准确率低及高维数据特征信息利用不全的问题,提出全特征信息均衡建模的内部威胁人物检测方法. 该方法对组织内部产生的多源数据进行特征提取和构建,通过对所有特征进行交叉分组,利用交叉分组后的特征进行孤立森林模型构建,提高模型构建过程中对数据特征信息利用的均衡性,利用生成的孤立森林模型进行内部威胁人物检测. 实验结果表明,该方法在CERT-IT(v4.2)内部威胁人物数据集上具有较高F1,且算法效率高,能够有效地用于内部威胁人物检测.

关键词: 内部威胁人物异常检测孤立森林算法交叉分组行为日志    
Abstract:

A method that used full-featured information equalization modeling for insider threat detection was proposed in view of the current problems of low accuracy of insider threat detection and incomplete utilization of high-dimensional data feature information. The features of the multi-source data generated within the organization were extracted and constructed. Then all the features were cross-grouped, and the cross-grouped features were used to construct the isolation forest model with improving the balance of the use of data feature information in the process of model building. The generated isolation forest model was used for insider threat detection. The experimental results show that the method has a higher F1 value on the CERT-IT (v4.2) insider threat figures data set, and the efficiency of the algorithm is high. The algorithm can be effectively used for insider threat detection.

Key words: insider threat    anomaly detection    isolation forest algorithm    cross-grouping    behavior log
收稿日期: 2018-03-30 出版日期: 2019-03-28
CLC:  TP 399  
通讯作者: 潘丽敏     E-mail: yuliu0319@gmail.com
作者简介: 刘宇(1993—),男,硕士生,从事信息安全的研究. orcid.org/0000-0003-3726-6702. E-mail: yuliu0319@gmail.com
服务  
把本文推荐给朋友
加入引用管理器
E-mail Alert
作者相关文章  
刘宇
罗森林
曲乐炜
潘丽敏
张笈

引用本文:

刘宇,罗森林,曲乐炜,潘丽敏,张笈. 全特征信息均衡建模的内部威胁人物检测[J]. 浙江大学学报(工学版), 2019, 53(4): 777-784.

Yu LIU,Sen-lin LUO,Le-wei QU,Li-min PAN,Ji ZHANG. Full-featured information equalization modeling for insider threat detection. Journal of ZheJiang University (Engineering Science), 2019, 53(4): 777-784.

链接本文:

http://www.zjujournals.com/eng/CN/10.3785/j.issn.1008-973X.2019.04.019        http://www.zjujournals.com/eng/CN/Y2019/V53/I4/777

图 1  内部威胁人物检测方法原理图
数据名称 内容说明 记录数 维度
logon 登录/登出日志 854 859 5
device 移动设备使用 405 380 5
file 文件操作日志 445 581 6
email 电子邮件日志 2 629 979 7
http 人物上网日志 28 434 423 6
psychometric 人物心理调查 1 000 7
LDAP 2009.12-2011.05员工信息 1 000 9
表 1  CERT-IT数据源详细信息
样本类别 负类 正类
负类 TN FP
正类 FN TP
表 2  用于内部威胁人物检测评价指标计算的混淆矩阵
图 2  均衡建模交叉因子选择实验结果
图 3  全特征信息均衡建模对比实验结果
图 4  内部威胁人物检测效果对比实验结果
算法 t/s 算法 t/s
iForest 0.126 SVM 17.353
KNN 0.633 RF 127.160
表 3  内部威胁人物检测算法运行时间对比实验结果
1 COOPERS P. Turnaround and transformation in cyber security: key findings from the global state of information security survey 2016 [EB/OL]. [2018-06-12]. https://www.pwc.com/sg/en/publications/assets/pwc-global-state-of-information-security-survey-2016.pdf.
2 FORCEPOINT Security team. 2016 global threat report [R/OL].[2018-06-12]. https://www.forcepoint.com/sites/default/files/resources/files/forcepoint_2016_global_threat_report_en_0.pdf.
3 CAPPELLI D M, MOORE A P, TRZECIAK R F. The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes [M]. Boston: Wesley, 2012.
4 ALAHMADI B A, LEGG P A, NURSE J R C. Using Internet activity profiling for insider-threat detection [C] // International Workshop on Security in Information Systems. Barcelona: ICEIS, 2015: 709–720.
5 KAMMüLLER F, PROBST C W Modeling and verification of insider threats using logical analysis[J]. IEEE Systems Journal, 2017, 11 (2): 534- 545
doi: 10.1109/JSYST.2015.2453215
6 黄铁, 张奋 基于隐马尔可夫模型的内部威胁检测方法[J]. 计算机工程与设计, 2010, 31 (5): 965- 968
HUANG Tie, ZHANG Fen Method of insider threat detection based on hidden Markov model[J]. Computer Engineering and Design, 2010, 31 (5): 965- 968
7 ELDARDIRY H, BART E, LIU J, et al. Multi-domain information fusion for insider threat detection [C] // 2013 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2013: 45–51.
8 MESSERMAN A, MUSTAFI? T, CAMTEPE S A, et al. Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics [C] // International Joint Conference on Biometrics. Washington DC: IEEE, 2011: 1–8.
9 李全刚, 时金桥, 秦志光, 等 面向邮件网络事件检测的用户行为模式挖掘[J]. 计算机学报, 2014, (5): 1135- 1146
LI Quan-gang, SHI Jin-qiao, QIN Zhi-guang, et al Mining user behavior patterns for event detection in Email networks[J]. Chinese Journal of Computers, 2014, (5): 1135- 1146
10 CAMINA J B, HERNANDEZ-GRACIDAS C, MONROY R, et al The Windows-users and intruder simulations logs dataset (WUIL): an experimental framework for masquerade detection mechanisms[J]. Expert Systems with Applications, 2014, 41 (3): 919- 930
doi: 10.1016/j.eswa.2013.08.022
11 文雨, 王伟平, 孟丹 面向内部威胁检测的用户跨域行为模式挖掘[J]. 计算机学报, 2016, 39 (8): 1555- 1569
WEN Yu, WANG Wei-ping, MENG Dan Mining user cross-domain behavior patterns for insider threat detection[J]. Chinese Journal of Computers, 2016, 39 (8): 1555- 1569
12 BRDICZKA O, LIU J, PRICE B, et al. Proactive insider threat detection through graph learning and psychological context [C] // 2012 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2012: 142–149.
13 GLASSER J, LINDAUER B. Bridging the gap: a pragmatic approach to generating insider threat data [C] // 2013 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2013: 98–104.
[1] 魏媛,冯天恒,黄平捷,侯迪波,张光新. 管网水质多指标动态关联异常检测方法[J]. 浙江大学学报(工学版), 2016, 50(7): 1402-1409.
[2] 何慧梅, 侯迪波, 赵海峰, 黄平捷, 张光新. 基于多因子融合的水质异常检测算法[J]. J4, 2013, 47(4): 735-740.
[3] 黄金钟 朱淼良 郭晔. 基于文法的异常检测[J]. J4, 2006, 40(2): 243-248.