Research On Insider Threat Detection Method Based On Recurrent Neural Network

In recent years,insider threats,mainly system sabotage,electronic fraud and information theft,pose a serious threat to organizations,individuals and even national security due to their invisibility and destructiveness.Insider threats generally refer to the behaviors of legitimate employees,third parties or partners with internal access rights within the organization that violate the security policies of the organization and cause damage to enterprise resources or internal information.With the popularization of the Internet,the proportion of insider threat attack in all attacks on organizations is increasing year by year,so it is urgent to detect the malicious behavior of internal personnel in a timely and efficient manner.The current methods for detecting insider threats are mainly machine learning methods.However,machine learning methods require complex feature engineering.With the increase of data volume,internal attack data is scattered in multiple behavioral domains of users,so it is not easy to model the characteristics of complex cross-domain data.In addition,most detection models are designed to reduce the complexity of model classification and fail to consider the temporal information in internal attacks,so internal attacks occurring over a period of time cannot be detected.In recent years,the development of deep learning brings new ideas to the problem of internal threat detection.Deep learning can learn the deep information of data,and its hidden layer is a highly abstract representation of user information,which can be used to represent the characteristics of data.The key of internal threat detection is to model the normal behavior model of internal personnel and find the abnormal behavior deviating from the model.If the unique self-feedback structure of cyclic neural network is used to model user behavior,insider threats occurring over a period of time can be detected.In current project,a novel method of insider threat detection was proposed and corresponding experiments were carried out.The main research contents and contributions of present study as follows:(1)For feature modeling of cross-domain data,a method based on entity embedded is proposed in present study to extract structured data characteristics,viz.,representing original data in low dimension by extracting user behavior characteristics through embedded layer of neural network,and transforming structured data into vector expression that neural network can process.In addition,the similarity of various behavior data can be measured by vector distance with the help of characteristics obtained from neural networks.(2)For insider threat over time,a novel method of insider threat detection based on recurrent neural network was proposed in current project to study normal behavior mode of users.Thanks to its memory feature,the present method can detect both isolated and continuous insider threats.(3)The availability of present method was verified on the CERT dataset.Comparing with the common plan of insider threat detection,it can be proved that present method has achieved a higher recall rate under the same budget,indicating that this method can greatly reduce the workload of enterprise analysts.