Please wait a minute...
浙江大学学报(工学版)
Journal of ZheJiang University (Engineering Science)  2019, Vol. 53 Issue (4): 777-784    DOI: 10.3785/j.issn.1008-973X.2019.04.019
    
Full-featured information equalization modeling for insider threat detection
Yu LIU(),Sen-lin LUO,Le-wei QU,Li-min PAN*,Ji ZHANG
School of Information and Electronics, Beijing Institute of Technology, Beijing 100081, China
Download: HTML     PDF(833KB) HTML
Export: BibTeX | EndNote (RIS)      

Abstract  

A method that used full-featured information equalization modeling for insider threat detection was proposed in view of the current problems of low accuracy of insider threat detection and incomplete utilization of high-dimensional data feature information. The features of the multi-source data generated within the organization were extracted and constructed. Then all the features were cross-grouped, and the cross-grouped features were used to construct the isolation forest model with improving the balance of the use of data feature information in the process of model building. The generated isolation forest model was used for insider threat detection. The experimental results show that the method has a higher F1 value on the CERT-IT (v4.2) insider threat figures data set, and the efficiency of the algorithm is high. The algorithm can be effectively used for insider threat detection.

Key wordsinsider threat      anomaly detection      isolation forest algorithm      cross-grouping      behavior log     
Received: 30 March 2018      Published: 28 March 2019
CLC:  TP 399  
Corresponding Authors: Li-min PAN     E-mail: yuliu0319@gmail.com
Service
E-mail this article
Add to my bookshelf
Add to citation manager
E-mail Alert
RSS
Articles by authors
Yu LIU
Sen-lin LUO
Le-wei QU
Li-min PAN
Ji ZHANG
Cite this article:

Yu LIU,Sen-lin LUO,Le-wei QU,Li-min PAN,Ji ZHANG. Full-featured information equalization modeling for insider threat detection. Journal of ZheJiang University (Engineering Science), 2019, 53(4): 777-784.

URL:

http://www.zjujournals.com/eng/10.3785/j.issn.1008-973X.2019.04.019     OR     http://www.zjujournals.com/eng/Y2019/V53/I4/777


全特征信息均衡建模的内部威胁人物检测

针对目前内部威胁人物检测准确率低及高维数据特征信息利用不全的问题,提出全特征信息均衡建模的内部威胁人物检测方法. 该方法对组织内部产生的多源数据进行特征提取和构建,通过对所有特征进行交叉分组,利用交叉分组后的特征进行孤立森林模型构建,提高模型构建过程中对数据特征信息利用的均衡性,利用生成的孤立森林模型进行内部威胁人物检测. 实验结果表明,该方法在CERT-IT(v4.2)内部威胁人物数据集上具有较高F1,且算法效率高,能够有效地用于内部威胁人物检测.


关键词: 内部威胁人物,  异常检测,  孤立森林算法,  交叉分组,  行为日志 
Fig.1 Principle diagram of insider threat detection method
数据名称 内容说明 记录数 维度
logon 登录/登出日志 854 859 5
device 移动设备使用 405 380 5
file 文件操作日志 445 581 6
email 电子邮件日志 2 629 979 7
http 人物上网日志 28 434 423 6
psychometric 人物心理调查 1 000 7
LDAP 2009.12-2011.05员工信息 1 000 9
Tab.1 Details of CERT-IT dataset
样本类别 负类 正类
负类 TN FP
正类 FN TP
Tab.2 Confusion matrix for calculating insider threat detection evaluation index
Fig.2 Selection of equalization modeling crossover factor
Fig.3 Comparision of full-featured information equalization modeling
Fig.4 Comparision of insider threat detection effect
算法 t/s 算法 t/s
iForest 0.126 SVM 17.353
KNN 0.633 RF 127.160
Tab.3 Comparision of insider threat detection algorithm runtime
[1]   COOPERS P. Turnaround and transformation in cyber security: key findings from the global state of information security survey 2016 [EB/OL]. [2018-06-12]. https://www.pwc.com/sg/en/publications/assets/pwc-global-state-of-information-security-survey-2016.pdf.
[2]   FORCEPOINT Security team. 2016 global threat report [R/OL].[2018-06-12]. https://www.forcepoint.com/sites/default/files/resources/files/forcepoint_2016_global_threat_report_en_0.pdf.
[3]   CAPPELLI D M, MOORE A P, TRZECIAK R F. The CERT guide to insider threats: how to prevent, detect, and respond to information technology crimes [M]. Boston: Wesley, 2012.
[4]   ALAHMADI B A, LEGG P A, NURSE J R C. Using Internet activity profiling for insider-threat detection [C] // International Workshop on Security in Information Systems. Barcelona: ICEIS, 2015: 709–720.
[5]   KAMMüLLER F, PROBST C W Modeling and verification of insider threats using logical analysis[J]. IEEE Systems Journal, 2017, 11 (2): 534- 545
doi: 10.1109/JSYST.2015.2453215
[6]   黄铁, 张奋 基于隐马尔可夫模型的内部威胁检测方法[J]. 计算机工程与设计, 2010, 31 (5): 965- 968
HUANG Tie, ZHANG Fen Method of insider threat detection based on hidden Markov model[J]. Computer Engineering and Design, 2010, 31 (5): 965- 968
[7]   ELDARDIRY H, BART E, LIU J, et al. Multi-domain information fusion for insider threat detection [C] // 2013 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2013: 45–51.
[8]   MESSERMAN A, MUSTAFI? T, CAMTEPE S A, et al. Continuous and non-intrusive identity verification in real-time environments based on free-text keystroke dynamics [C] // International Joint Conference on Biometrics. Washington DC: IEEE, 2011: 1–8.
[9]   李全刚, 时金桥, 秦志光, 等 面向邮件网络事件检测的用户行为模式挖掘[J]. 计算机学报, 2014, (5): 1135- 1146
LI Quan-gang, SHI Jin-qiao, QIN Zhi-guang, et al Mining user behavior patterns for event detection in Email networks[J]. Chinese Journal of Computers, 2014, (5): 1135- 1146
[10]   CAMINA J B, HERNANDEZ-GRACIDAS C, MONROY R, et al The Windows-users and intruder simulations logs dataset (WUIL): an experimental framework for masquerade detection mechanisms[J]. Expert Systems with Applications, 2014, 41 (3): 919- 930
doi: 10.1016/j.eswa.2013.08.022
[11]   文雨, 王伟平, 孟丹 面向内部威胁检测的用户跨域行为模式挖掘[J]. 计算机学报, 2016, 39 (8): 1555- 1569
WEN Yu, WANG Wei-ping, MENG Dan Mining user cross-domain behavior patterns for insider threat detection[J]. Chinese Journal of Computers, 2016, 39 (8): 1555- 1569
[12]   BRDICZKA O, LIU J, PRICE B, et al. Proactive insider threat detection through graph learning and psychological context [C] // 2012 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2012: 142–149.
[13]   GLASSER J, LINDAUER B. Bridging the gap: a pragmatic approach to generating insider threat data [C] // 2013 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2013: 98–104.
[1] Xue-jiao LIU,Yi-dan YIN,Wei CHEN,Ying-jie XIA,Jia-li XU,Li-dong HAN. Secure data sharing scheme in Internet of Vehicles based on blockchain[J]. Journal of ZheJiang University (Engineering Science), 2021, 55(5): 957-965.
[2] Ming-hui YOU,Ya-feng YIN,Lei XIE,Sang-lu LU. User profiling based on activity sensing[J]. Journal of ZheJiang University (Engineering Science), 2021, 55(4): 608-614.
[3] Yu-qi ZHANG,Bin GUO,Ya-san DING,Si-cong LIU,Zhi-wen YU. Mechanism of corrections to false information in online social network[J]. Journal of ZheJiang University (Engineering Science), 2021, 55(4): 615-625.
[4] Li-feng XU,Hai-fan HUANG,Wei-long DING,Yu-lei FAN. Detection of small fruit target based on improved DenseNet[J]. Journal of ZheJiang University (Engineering Science), 2021, 55(2): 377-385.
[5] Hao-can XU,Ji-tuo LI,Guo-dong LU. Reconstruction of three-dimensional human bodies from single image by LeNet-5[J]. Journal of ZheJiang University (Engineering Science), 2021, 55(1): 153-161.
[6] Zhuang KANG,Jie YANG,Hao-qi GUO. Automatic garbage classification system based on machine vision[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(7): 1272-1280.
[7] Xu YAN,Xiao-liang FAN,Chuan-pan ZHENG,Yu ZANG,Cheng WANG,Ming CHENG,Long-biao CHEN. Urban traffic flow prediction algorithm based on graph convolutional neural networks[J]. Journal of ZheJiang University (Engineering Science), 2020, 54(6): 1147-1155.
[8] Dong-xiang KE,Li-min PAN,Sen-lin LUO,Han-qing ZHANG. Android malicious behavior recognition and classification method based on random forest algorithm[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(10): 2013-2023.
[9] Qi-long WU,Zhi-wen YU,Xin-jiang LU,Bin GUO. Analysis on predictability of urban point-of-interest evolution[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(9): 1768-1778.
[10] Zi-long WANG,Zhu WANG,Zhi-wen YU,Bin GUO,Xing-she ZHOU. Transnational population migration forecast with multi-source data[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(9): 1759-1767.
[11] Si-yuan REN,Bin GUO,Man ZHANG,Chao-gang YUE,Qing-yang LI,Zhi-wen YU. Urban profiling using express big data[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(9): 1779-1787.
[12] Nuo LI,Bin GUO,Yan LIU,Yao JING,Zhi-wen YU. Intelligent commercial site recommendation with neural collaborative filtering[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(9): 1788-1794.
[13] Yan-yan SONG,Sen-lin LUO,Hai SHANG,Li-min PAN,Ji ZHANG. Android APP reinforcement method with function Nativeization[J]. Journal of ZheJiang University (Engineering Science), 2019, 53(3): 555-562.
[14] GUO Tong, GUO Bin, ZHANG Jia-fan, YU Zhi-wen, ZHOU Xing-she. CrowdTravel: leveraging heterogeneous crowdsourced data for scenic spot profiling[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(4): 663-668.
[15] JING Yao, GUO Bin, WANG Zhu, YU Zhi-wen, ZHOU Xing-she. CrowdReview: personalized product review presentation based on crowd intelligence mining[J]. Journal of ZheJiang University (Engineering Science), 2017, 51(4): 675-681.