Business process mining based insider threat detection system

Tai-ming ZHU; Yuan-bo GUO; An-kang JU; Jun MA

doi:10.11959/j.issn.1000-436x.2016265

您当前的位置：

首页 >

文章列表页 >

Business process mining based insider threat detection system

Contents Papers | 更新时间：2024-06-05

- Business process mining based insider threat detection system
- Journal on Communications Vol. 37, Issue Z1, Pages: 180-188(2016)
- 作者机构：
  
  1. 解放军信息工程大学网络空间安全学院，河南郑州 450001
  2. 数学工程与先进计算国家重点实验室，江苏无锡 214000
- 作者简介：
- 基金信息：
  
  The National Natural Science Foundation of China(61202515)
- DOI：10.11959/j.issn.1000-436x.2016265
  CLC： TP391
- Online First：2016-10，
  
  Published：25 October 2016
- 稿件说明：
移动端阅览
Tai-ming ZHU, Yuan-bo GUO, An-kang JU, et al. Business process mining based insider threat detection system[J]. Journal on Communications, 2016, 37(Z1): 180-188.
DOI：

Tai-ming ZHU, Yuan-bo GUO, An-kang JU, et al. Business process mining based insider threat detection system[J]. Journal on Communications, 2016, 37(Z1): 180-188. DOI： 10.11959/j.issn.1000-436x.2016265.

摘要

当前的入侵检测系统更多针对的是外部攻击者，但有时内部人员也会给机构或组织的信息安全带来巨大危害。现有的内部威胁检测方法通常未将人员行为和业务活动进行结合，威胁检测率有待提升。从内部威胁的实施方和威胁对系统业务的影响这2个方面着手，提出基于业务过程挖掘的内部威胁检测系统模型。首先通过对训练日志的挖掘建立系统业务活动的正常控制流模型和各业务执行者的正常行为轮廓，然后在系统运行过程中将执行者的实际操作行为与预建立的正常行为轮廓进行对比，并加以业务过程的控制流异常检测和性能异常检测，以发现内部威胁。对各种异常行为进行了定义并给出了相应的检测算法，并基于ProM平台进行实验，结果证明了所设计系统的有效性。

Abstract

Current intrusion detection systems are mostly for detecting external attacks

but sometimes the internal staff may bring greater harm to organizations in information security.Traditional insider threat detection methods of-ten do not combine the behavior of people with business activities

making the threat detection rate to be improved.An insider threat detection system based on business process mining from two aspects was proposed

the implementation of insider threats and the impact of threats on system services.Firstly

the normal control flow model of business ac-tivities and the normal behavior profile of each operator were established by mining the training log.Then

the actual behavior of the operators was compared with the pre-established normal behavior contours during the operation of the system

which was supplemented by control flow anomaly detection and performance anomaly detection of business processes

in order to discover insider threats.A variety of anomalies were defined and the corresponding detection algorithms were given.Experiments were performed on the ProM platform.The results show the designed system is effective.

关键词

Keywords

references

PARVEEN P , THURAISINGHAM B . Unsupervised incremental sequence learning for insider threat detection[C]//2012 IEEE Interna-tional Conference on Intelligence and Security Informatics (ISI) . 2012 : 141 - 143 .

AALST W M P , MEDEIROS A K A . Process mining and security:detecting anomalous process executions and checking process con-formance [J ] . Electronic Notes in Theoretical Computer Science , 2005 , 121 : 3 - 21 .

AALST W , WEIJTERS T , MARUSTER L . Workflow mining:Dis-covering process models from event logs [J ] . IEEE Transactions on Knowledge and Data Engineering , 2004 , 16 ( 9 ): 1128 - 1142 .

WEN L , WANG J , SUN J . Detecting implicit dependencies between tasks from event logs [J ] . Frontiers of WWW Research and Develop-ment-APWeb 2006 , 2006 : 591 - 603 .

WEIJTERS A , RIBEIRO J T S . Flexible heuristics miner (FHM)[C]//2011 IEEE Symposium on Computational Intelligence and Data Min-ing (CIDM) . 2011 : 310 - 317 .

WEIJTERS A J M M , VAN der AALST W M P . Rediscovering work-flow models from event-based data using little thumb [J ] . Integrated Computer-Aided Engineering , 2013 , 10 ( 2 ): 151 - 162 .

DONGEN B F , AALST W M P . Multi-phase process mining:Aggre-gating instance graphs into EPCs and Petri nets[C]//PNCWB 2005 Workshop . 2015 : 35 - 58 .

VAN DONGEN B F , VAN der AALST W M P . Multi-phase process mining:Building instance graphs[C]//Conceptual Modeling-ER 2004 . 2004 : 362 - 376 .

DE MEDEIROS A K A , WEIJTERS A . Genetic process mining[C]//26th International Conference on Applications and Theory of Petri Nets . 2005 .

AALST W M P , DONGEN B F , GÜNTHER C W , et al . ProM:the process mining toolkit [J ] . BPM (Demos) , 2009 , 489 : 31 .

ANDERSON R H , BOZEK T , LONGSTAFF T , et al . Research on mitigating the insider threat to information systems-# 2 [R ] . Rand Na-tional Defense Research Inst Santa Monica CA , 2000 .

SPITZNER L . Honeypots:catching the insider threat[C]//19th Com-puter Security Applications Conference . 2003 : 170 - 179 .

HU N , BRADFORD P G , LIU J . Applying role based access control and genetic algorithms to insider threat detection[C]//The 44th Annual Southeast Regional Conference . 2006 : 790 - 791 .

BISHOP M , ENGLE S , PEISERT S , et al . We have met the enemy and he is us[C]//The 2008 Workshop on New Security Paradigms . 2009 : 1 - 12 .

GREITZER F L , FRINCKE D A . Combining traditional cyber security audit data with psychosocial data:towards predictive modeling for in-sider threat mitigation[C]//Insider Threats in Cyber Security . 2010 : 85 - 113 .

BRDICZKA O , LIU J , PRICE B , et al . roactive insider threat detec-tion through graph learning and psychological context[C]//2012 IEEE Symposium on Security and Privacy Workshops (SPW) . 2012 : 142 - 149 .

PARVEEN P , EVANS J , THURAISINGHAM B , et al . Insider threat detection using stream mining and graph mining[C]//2011 IEEE Third International Conference on Privacy,Security,Risk and Trust (PAS-SAT) and 2011 IEEE Third Inernational Conference on Social Com-puting (SocialCom) . 2011 : 1102 - 1110 .

BURATTIN A , SPERDUTI A . PLG:a framework for the generation of business process models and their execution logs[C]//Business Process Management Workshops . 2011 : 214 - 219 .

Views

1276

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Anomaly detection method for intelligent UAV networks based on collaborative adversarial enhanced generative model

Deep learning architecture for anomaly detection, classification, and localization in free-space optical communication

Anomaly detection method for spatio-temporal correlation of WSN nodes based on graph prompt fine-tuning

Protocol field mutation method for 5G core network based on adaptive meta-learning

Research on traffic representation in network anomaly detection

Related Author

SUI He

MA Chunyan

LONG Lingchun

GU Zhaojun

LIU Jiajia

DING Lei

SONG Song

WU Tingwei

Related Institution

College of Aeronautical Engineering, Civil Aviation University of China

Information Security Evaluation Center, Civil Aviation University of China

School of Mechanical Engineering, North University of China

School of Cyber Science and Technology, Guangzhou University

School of Communications and Information Engineering, Chongqing University of Posts and Telecommunications

AI问答

⁰