Insider Threat Detection Method Based On Deep Belief Network In Information System

At present,the insider threat detection m ethod based on audit logs for information system is mainly concerned with the behavior characteristics of users in a single detection domain.However,malicious behavior within the information system is concealment and diversity.It is difficult to find out insider threat by the single behavioral characteristics of users.It is necessary to fuse Behavior of different domains.So how to learn the user characteristics from multi-domain data of audit log is the key to insider threat detection.On the other hand,the traditional feature learning methods often have large information loss in the learning process,and do not make full use of multi-domain characteristics.It can't effectively dig out the user behavior information.Deep Belief Network(DBN)has nonlinear network structure and can extract the essential features of data.It has achieved remarkable results in image recognition,speech recognition and natural language processing.This paper introduces the deep belief network into the insider threat detection,the main work includes:(1)For the multi-domain features extracted from the audit logs,this paper uses DBN-based feature learning method to re-represent the multi-domain features.This method utilizes the multi-layer nonlinear structure to extract the feature,and fully excavates the multi-domain behavior characteristic of users.Finally,put the future learned by DBN into the support vector machine(One-Class SVM,OCSVM),which is an anomaly detection algorithm.Then we constructed the hybrid insider threat detection model.(2)Although the method in(1)has a certain effect on the detection of insider threat,the normal behavior patterns of single OCSVM training users are relatively simple,and the normal behavior patterns of users in information system are often complex and diverse.Therefore,this paper proposes the method mixed clustering to detect insider threat.This method uses K-means algorithm based on partition clustering and Birch algorithm based on hierarchical clustering to perform the clustering analysis on the multi-domain features of DBN-processed.The OCSVM model is constructed for each normal behavior pattern.(3)The insider threat detection model of this paper based on DBN feature representation.Because DBN iteration process consumes a lot of computation time,the training time of detection model is mainly spent in the pre-training stage of DBN.Therefore,this paper proposes a parallel insider threat detection method.Based on the Hadoop platform,this paper uses the parallel DBN algorithm to extract the multi-domain features of the audit logs from the point of view of time performance.The detection model uses the hybrid clustering model in(2)to detect the insider threat.In this paper,the CERT data set provided by Carnegie Mellon University Internal Threat Center is used to analyze the proposed insider threat detection method.The experimental results show that the method based on DBN feature representationhas a certain detection effect,and the method of hybrid clustering can improve the performance of detection model.Finally,combined with Hadoop platform,we can reduce the DBN pre-training timeto a certain extent,thereby enhancing the time performance ofinsider threat detection model.