Design And Implementation Of User Abnormal Behavior Detection Model For Bank Intranet Log

With the development of the bank's IT business,data center's equipment is increasing.Large and heterogeneous clusters of various hardware and software equipment keep working without stop,which requiring better network security management.User behavior analysis is an important part of network security management,and it is the main method for mining risk information in the intranet.At present,building a rule database is commonly used by banks in analyzing abnormal behavior of users.This method has rigorous rules,strong interpretability and better pertinence.However,the huge complex rules database is highly relied on the experience of professionals,and it is unable to deeply analyze user behavior,which makes it difficult to deal with the increasingly complex intranet.Therefore,a better method is needed to replace the existing one.In this thesis,a network security management platform was developed by a security company for a certain bank to analyze user behavior in the alert module.A Word2Vector plus Gradient Boosting Decision Tree and an Autoregressive Model were designed and implemented.The two models filtered logs in complementary forms.One was filtering logs in real time,and the other was analyzing statistics.These tasks were used to analyze logs that generated by bank equipment,and to find abnormal behavior for the bank.Thus,network security managers can make better decisions.The main works of this thesis are as follows:1.Creating a personalized dictionary by analyzing the MSG part of the log to train the Word2Vecter model;2.Implementing a Gradient Boosting Decision Tree to filter and classify each log in real time;3.Building Autoregressive Model to analyze access information.After implementing the new user abnormal behavior detection method,A/B experiments were performed with existing methods.The results demonstrated that the method implemented in this thesis showed good performance than the existing ones.The final results of this project are as follows:1.The experimental results showed that the proposed method showed better accuracy and mining depth compared to the conventional methods;2.The proposed method was deployed online.This implemented-method has been working well online,and it can adapt to complex intranet environments and better serve network security managers.