Study on user behavior profiling in insider threat detection

Yuanbo GUO; Chunhui LIU; Jing KONG; Yifeng WANG

doi:10.11959/j.issn.1000-436x.2018282

您当前的位置：

首页 >

文章列表页 >

Study on user behavior profiling in insider threat detection

Correspondences | 更新时间：2024-06-05

- Study on user behavior profiling in insider threat detection
- Journal on Communications Vol. 39, Issue 12, Pages: 141-150(2018)
- 作者机构：
  
  1. 中国人民解放军战略支援部队信息工程大学密码工程学院，河南郑州 450001
  2. 中国人民解放军61213部队，山西临汾 041000
- 作者简介：
- 基金信息：
  
  The National Natural Science Foundation of China(No.61602515);The National Natural Science Foundation of China(No.61501515)
- DOI：10.11959/j.issn.1000-436x.2018282
  CLC： TP391
- Online First：2018-12，
  
  Published：25 December 2018
- 稿件说明：
移动端阅览
Yuanbo GUO, Chunhui LIU, Jing KONG, et al. Study on user behavior profiling in insider threat detection[J]. Journal on Communications, 2018, 39(12): 141-150.
DOI：

Yuanbo GUO, Chunhui LIU, Jing KONG, et al. Study on user behavior profiling in insider threat detection[J]. Journal on Communications, 2018, 39(12): 141-150. DOI： 10.11959/j.issn.1000-436x.2018282.

摘要

行为画像技术利用无标注历史数据构建用户行为“常态”，是检测企业内部威胁的有效手段。当前标签式画像方法依赖人工提取特征，多用简单统计方法处理数据，导致用户画像模型缺少细节、不够全面。提出了一种行为特征自动提取和局部全细节行为画像方法，以及一种行为序列划分和全局业务状态转移预测方法，能够较全面地刻画用户行为模式。构建了一个基于行为画像的内部威胁检测框架，将局部描写与全局预测相结合，提高了检测准确率。最后用CMU-CERT数据集进行了实验，AUC（area under curve）得分0.88

F1得分0.925，可有效应用于内部威胁检测过程中。

Abstract

Behavior profiling technic using no-labeled historical data to build normal behavior model is an effective way to detect insider attackers. The state-of-the-art labeled profile methods extract features artificially and process data by simple statistical methods

whose incomplete behavior model lacks details. An automated feature extracting and full-detail behavior profiling method as well as a behavior sequence splitting and business state transition predicting way was proposed. Combining above two methods

an insider threats detection framework was established

which improved detection accuracy. Experimenting with CMU-CERT data set

AUC (area under curve) score was 0.88 and F1 score was 0.925. With the better performance

it can be used in detecting insider threats.

关键词

Keywords

references

BAKER W , HYLENDER A , PAMULA C D , et al . 2017 data breach investigations report [R ] . Verizon RISK Team , 2017 : 49 .

SCULZE H . Insider threat spotlight report 2018 [R ] . Crowd Research Partners , 2018 .

杨光，马建刚，于爱民，等 . 内部威胁检测研究 [J ] . 信息安全学报， 2016 ( 3 ): 21 - 36 .

YANG G , MA J G , YU A M , et al . Survey of insider threat detection [J ] . Journal of Cyber Security , 2016 ( 3 ): 21 - 36 .

NURSE J R C , BUCKLEY O , LEGG P A , et al . Understanding insider threat: A framework for characterizing attacks [C ] // Security and Privacy Workshops (SPW) , 2014 : 214 - 228 .

LEGG P A , BUCKLEY O , GOLDSMITH M , et al . Automated insider threat detection system using user and role-based profile assessment [J ] . IEEE Systems Journal , 2015 .

RASHID T , AGRAFIOTIS I , NURSE J R . A new take on detecting insider threats: exploring the use of hidden markov models [C ] // The 2016 International Workshop on Managing Insider Security Threats . 2016 : 47 - 56 .

GAMACHCHI A , SUN L , BOZTAS S . Graph based framework for malicious insider threat detection [C ] // The 50th Hawaii International Conference on System Science . 2017 : 2638 - 2647 .

GAVAI G , SRICHARAN K , GUNNING D , et al . Supervised and unsupervised methods to detect insider threat from enterprise social and online activity data [J ] . JOWUA , 2015 , 6 ( 4 ): 47 - 63 .

PARVEEN P . Evolving insider threat detection using stream analytics and big data [M ] . The University of Texas at Dallas , 2013 .

LIU A , MARTIN C , HETHERINGTON T , et al . A comparison of system call feature representations for insider threat detection [C ] // Information Assurance Workshop, Proceedings from the Sixth Annual IEEE SMC . 2005 : 340 - 347 .

AGRAFIOTIS I , LEGG P A , GOLDSMITH M , et al . Towards a user and role-based sequential behavioral analysis tool for insider threat detection [J ] . J. Internet Serv. Inf. Secur ., 2014 , 4 ( 4 ): 127 - 137 .

周敬才，胡华平，岳虹 . 基于 Lucene 全文检索系统的设计与实现 [J ] . 计算机工程与科学， 2015 , 37 ( 2 ): 252 - 256 .

ZHOU J C , HU H P , YUE H . Design and implementation of Lucene-based full-text retrieval system [J ] . Computer Engineering and Science , 2015 , 37 ( 2 ): 252 - 256 .

周志华 . 机器学习 [M ] . 北京 : 清华大学出版社， 2016 .

ZHOU Z H . Machine Learning [M ] . Beijing : Tsinghua university press , 2016 .

EDDY S R . Hidden Markov models [J ] . Current Opinion in Structural biology ., 1996 , 6 ( 3 ): 361 - 365 .

Views

1926

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

Research on HMM based link prediction method in heterogeneous network

Noisy voice detection algorithm based on feature stream fusion

Business process mining based insider threat detection system

Method for determining the lengths of protocol keywords based on maximum likelihood probability

Identifying the confidence level of activity recognition via HMM

Related Author

Jianting XU

Kejun ZHANG

Hongyu DONG

Fangyuan XING

Rong QIAN

Yubin SHAO

Mingliang YANG

Hua LONG

Related Institution

Department of Cyberspace Security, Beijing Electronic Science and Technology Institute

College of Computer Science and Technology, Xidian University

Faculty of Information Engineering and Automation, Kunming University of Science and Technology

School of Cyberspace Security,PLA Information Engineering University

State Key Laboratory of Mathematical Engineering and Advanced Computing

AI问答

⁰