内部威胁检测中用户行为模式画像方法研究
|
摘要
行为画像技术利用无标注历史数据构建用户行为"常态",是检测企业内部威胁的有效手段。当前标签式画像方法依赖人工提取特征,多用简单统计方法处理数据,导致用户画像模型缺少细节、不够全面。提出了一种行为特征自动提取和局部全细节行为画像方法,以及一种行为序列划分和全局业务状态转移预测方法,能够较全面地刻画用户行为模式。构建了一个基于行为画像的内部威胁检测框架,将局部描写与全局预测相结合,提高了检测准确率。最后用CMU-CERT数据集进行了实验,AUC(area under curve)得分0.88,F1得分0.925,可有效应用于内部威胁检测过程中。
Behavior profiling technic using no-labeled historical data to build normal behavior model is an effective way to detect insider attackers. The state-of-the-art labeled profile methods extract features artificially and process data by simple statistical methods, whose incomplete behavior model lacks details. An automated feature extracting and full-detail behavior profiling method as well as a behavior sequence splitting and business state transition predicting way was proposed. Combining above two methods, an insider threats detection framework was established, which improved detection accuracy. Experimenting with CMU-CERT data set, AUC(area under curve) score was 0.88 and F1 score was 0.925. With the better performance, it can be used in detecting insider threats.
Behavior profiling technic using no-labeled historical data to build normal behavior model is an effective way to detect insider attackers. The state-of-the-art labeled profile methods extract features artificially and process data by simple statistical methods, whose incomplete behavior model lacks details. An automated feature extracting and full-detail behavior profiling method as well as a behavior sequence splitting and business state transition predicting way was proposed. Combining above two methods, an insider threats detection framework was established, which improved detection accuracy. Experimenting with CMU-CERT data set, AUC(area under curve) score was 0.88 and F1 score was 0.925. With the better performance, it can be used in detecting insider threats.
引文
[1]BAKER W,HYLENDER A,PAMULA C D,et al.2017 data breach investigations report[R].Verizon RISK Team,2017:49.
[2]SCULZE H.Insider threat spotlight report 2018[R].Crowd Research Partners,2018.
[3]杨光,马建刚,于爱民,等.内部威胁检测研究[J].信息安全学报,2016(3):21-36.YANG G,MA J G,YU A M,et al.Survey of insider threat detection[J].Journal of Cyber Security,2016(3):21-36.
[4]NURSE J R C,BUCKLEY O,LEGG P A,et al.Understanding insider threat:A framework for characterizing attacks[C]//Security and Privacy Workshops(SPW),2014:214-228.
[5]LEGG P A,BUCKLEY O,GOLDSMITH M,et al.Automated insider threat detection system using user and role-based profile assessment[J].IEEE Systems Journal,2015.
[6]RASHID T,AGRAFIOTIS I,NURSE J R.A new take on detecting insider threats:exploring the use of hidden markov models[C]//The2016 International Workshop on Managing Insider Security Threats.2016:47-56.
[7]GAMACHCHI A,SUN L,BOZTAS S.Graph based framework for malicious insider threat detection[C]//The 50th Hawaii International Conference on System Science.2017:2638-2647.
[8]GAVAI G,SRICHARAN K,GUNNING D,et al.Supervised and unsupervised methods to detect insider threat from enterprise social and online activity data[J].JOWUA,2015,6(4):47-63.
[9]PARVEEN P.Evolving insider threat detection using stream analytics and big data[M].The University of Texas at Dallas,2013.
[10]LIU A,MARTIN C,HETHERINGTON T,et al.A comparison of system call feature representations for insider threat detection[C]//Information Assurance Workshop,Proceedings from the Sixth Annual IEEE SMC.2005:340-347.
[11]AGRAFIOTIS I,LEGG P A,GOLDSMITH M,et al.Towards a user and role-based sequential behavioral analysis tool for insider threat detection[J].J.Internet Serv.Inf.Secur.,2014,4(4):127-137.
[12]周敬才,胡华平,岳虹.基于Lucene全文检索系统的设计与实现[J].计算机工程与科学,2015,37(2):252-256.ZHOU J C,HU H P,YUE H.Design and implementation of Lucene-based full-text retrieval system[J].Computer Engineering and Science,2015,37(2):252-256.
[13]周志华.机器学习[M].北京:清华大学出版社,2016.ZHOU Z H.Machine Learning[M].Beijing:Tsinghua university press,2016.
[14]EDDY S R.Hidden Markov models[J].Current Opinion in Structural biology,1996,6(3):361-365.
[2]SCULZE H.Insider threat spotlight report 2018[R].Crowd Research Partners,2018.
[3]杨光,马建刚,于爱民,等.内部威胁检测研究[J].信息安全学报,2016(3):21-36.YANG G,MA J G,YU A M,et al.Survey of insider threat detection[J].Journal of Cyber Security,2016(3):21-36.
[4]NURSE J R C,BUCKLEY O,LEGG P A,et al.Understanding insider threat:A framework for characterizing attacks[C]//Security and Privacy Workshops(SPW),2014:214-228.
[5]LEGG P A,BUCKLEY O,GOLDSMITH M,et al.Automated insider threat detection system using user and role-based profile assessment[J].IEEE Systems Journal,2015.
[6]RASHID T,AGRAFIOTIS I,NURSE J R.A new take on detecting insider threats:exploring the use of hidden markov models[C]//The2016 International Workshop on Managing Insider Security Threats.2016:47-56.
[7]GAMACHCHI A,SUN L,BOZTAS S.Graph based framework for malicious insider threat detection[C]//The 50th Hawaii International Conference on System Science.2017:2638-2647.
[8]GAVAI G,SRICHARAN K,GUNNING D,et al.Supervised and unsupervised methods to detect insider threat from enterprise social and online activity data[J].JOWUA,2015,6(4):47-63.
[9]PARVEEN P.Evolving insider threat detection using stream analytics and big data[M].The University of Texas at Dallas,2013.
[10]LIU A,MARTIN C,HETHERINGTON T,et al.A comparison of system call feature representations for insider threat detection[C]//Information Assurance Workshop,Proceedings from the Sixth Annual IEEE SMC.2005:340-347.
[11]AGRAFIOTIS I,LEGG P A,GOLDSMITH M,et al.Towards a user and role-based sequential behavioral analysis tool for insider threat detection[J].J.Internet Serv.Inf.Secur.,2014,4(4):127-137.
[12]周敬才,胡华平,岳虹.基于Lucene全文检索系统的设计与实现[J].计算机工程与科学,2015,37(2):252-256.ZHOU J C,HU H P,YUE H.Design and implementation of Lucene-based full-text retrieval system[J].Computer Engineering and Science,2015,37(2):252-256.
[13]周志华.机器学习[M].北京:清华大学出版社,2016.ZHOU Z H.Machine Learning[M].Beijing:Tsinghua university press,2016.
[14]EDDY S R.Hidden Markov models[J].Current Opinion in Structural biology,1996,6(3):361-365.