Insider Threat Detection Based On User Behaviors

In the initial stage of network technology development,various enterprises and organizations take precautions against malicious acts from outside of security boundary as the main defense policy,and have proposed many detection methods and defense systems to deal with external threats in the field of information security.Despite these mature defenses,today's enterprises,organizations and even countries still face a huge security crisis,because the source of the crisis comes from inside.Due to inside attackers are familiar with internal system architecture and security policies,making them easily bypassing the system defense&detection mechanism,which lead to these kind of attacks are difficult to predict in advance,and it is hard to trace the source afterwards.At the same time,inside threats cause losses as much as or even exceed external attacks,thus make it becoming a widely studied topic in the field of information security.In the existing insider threat detection research,the detection scheme based on a single data source is easily evaded by insider attackers,and different modeling schemes are adopted for different data sources,which increases the difficulty of implementing the insider threat detection.Based on the above research background,this paper carries out research on detection of abnormal user behaviors in inside threat.The works done in this paper are as follow:(1)This paper investigates the existing theoretical research results,summarizes the types of existing inside threats,related attack detection models,and research dataset used by researchers.In addition,the data acquisition and preprocessing work of this paper is expounded.(2)This paper proposes a more general user behavior similarity calculation method,which breaks down the user interaction behavior into several event sequence sets,then uses the Markov clustering algorithm to convert the event sequence into a point cluster set,and finally,user behavior similarity calculation is transformed into a set similarity calculation.In this experiment,the method is applied to Linux terminal command sequence and file access record.The experimental results show that the aforementioned method can achieve the same detection rate as the existing detection method,moreover,by using the same method for different data sources,the difficulty of implementing the detection model is further reduced.(3)From the perspective of human-computer interaction data,this paper proposes to analyze user behavior from multiple data sources such as keystroke data,network traffic,file system access records and terminal commands,and construct a user behavior model.The results of simulated scenario experiment show that multi-sources-based insider threat detection model has a larger insider threat monitoring scope and can detect anomalies that a single-source model cannot.The corresponding experimental results have an average TPR of 86.8%-89%and an average FPR of 9%-13%.(4)An inside threat detection system that collects user behavior data in real time and performs abnormal user behavior detection is described in detail.