摘要
行为画像技术利用无标注历史数据构建用户行为"常态",是检测企业内部威胁的有效手段。当前标签式画像方法依赖人工提取特征,多用简单统计方法处理数据,导致用户画像模型缺少细节、不够全面。提出了一种行为特征自动提取和局部全细节行为画像方法,以及一种行为序列划分和全局业务状态转移预测方法,能够较全面地刻画用户行为模式。构建了一个基于行为画像的内部威胁检测框架,将局部描写与全局预测相结合,提高了检测准确率。最后用CMU-CERT数据集进行了实验,AUC(area under curve)得分0.88,F1得分0.925,可有效应用于内部威胁检测过程中。
Behavior profiling technic using no-labeled historical data to build normal behavior model is an effective way to detect insider attackers. The state-of-the-art labeled profile methods extract features artificially and process data by simple statistical methods, whose incomplete behavior model lacks details. An automated feature extracting and full-detail behavior profiling method as well as a behavior sequence splitting and business state transition predicting way was proposed. Combining above two methods, an insider threats detection framework was established, which improved detection accuracy. Experimenting with CMU-CERT data set, AUC(area under curve) score was 0.88 and F1 score was 0.925. With the better performance, it can be used in detecting insider threats.
引文
[1]BAKER W,HYLENDER A,PAMULA C D,et al.2017 data breach investigations report[R].Verizon RISK Team,2017:49.
[2]SCULZE H.Insider threat spotlight report 2018[R].Crowd Research Partners,2018.
[3]杨光,马建刚,于爱民,等.内部威胁检测研究[J].信息安全学报,2016(3):21-36.YANG G,MA J G,YU A M,et al.Survey of insider threat detection[J].Journal of Cyber Security,2016(3):21-36.
[4]NURSE J R C,BUCKLEY O,LEGG P A,et al.Understanding insider threat:A framework for characterizing attacks[C]//Security and Privacy Workshops(SPW),2014:214-228.
[5]LEGG P A,BUCKLEY O,GOLDSMITH M,et al.Automated insider threat detection system using user and role-based profile assessment[J].IEEE Systems Journal,2015.
[6]RASHID T,AGRAFIOTIS I,NURSE J R.A new take on detecting insider threats:exploring the use of hidden markov models[C]//The2016 International Workshop on Managing Insider Security Threats.2016:47-56.
[7]GAMACHCHI A,SUN L,BOZTAS S.Graph based framework for malicious insider threat detection[C]//The 50th Hawaii International Conference on System Science.2017:2638-2647.
[8]GAVAI G,SRICHARAN K,GUNNING D,et al.Supervised and unsupervised methods to detect insider threat from enterprise social and online activity data[J].JOWUA,2015,6(4):47-63.
[9]PARVEEN P.Evolving insider threat detection using stream analytics and big data[M].The University of Texas at Dallas,2013.
[10]LIU A,MARTIN C,HETHERINGTON T,et al.A comparison of system call feature representations for insider threat detection[C]//Information Assurance Workshop,Proceedings from the Sixth Annual IEEE SMC.2005:340-347.
[11]AGRAFIOTIS I,LEGG P A,GOLDSMITH M,et al.Towards a user and role-based sequential behavioral analysis tool for insider threat detection[J].J.Internet Serv.Inf.Secur.,2014,4(4):127-137.
[12]周敬才,胡华平,岳虹.基于Lucene全文检索系统的设计与实现[J].计算机工程与科学,2015,37(2):252-256.ZHOU J C,HU H P,YUE H.Design and implementation of Lucene-based full-text retrieval system[J].Computer Engineering and Science,2015,37(2):252-256.
[13]周志华.机器学习[M].北京:清华大学出版社,2016.ZHOU Z H.Machine Learning[M].Beijing:Tsinghua university press,2016.
[14]EDDY S R.Hidden Markov models[J].Current Opinion in Structural biology,1996,6(3):361-365.