Research And Application Of User And Entity Behavior Analytics Technology In Network Security

With the continuous development of computer technology,insider threats and host-based intrusions in network security always affect the normal operation of the network.Therefore,it is urgent to propose effective countermeasures.The existing insider threat detection algorithms mainly have the following disadvantages: using only a single user behavior to build a user behavior model,insider threats to new users cannot be detected,and the choice and design of the algorithm leads to problems such as the area under the curve(AUC)score decreases.However,the existing host-based intrusion detection algorithms mainly have the following shortcomings: security events themselves,the continuous change of security events causes the algorithm to fail to identify,a large number of completed labeled samples for model training,and poor portability of the algorithm.In view of the above problems,the research content of this thesis mainly includes three parts.(1)A user behavior analytics algorithm based on one-class neural network(OC-NN)is proposed.The algorithm uses multiple behaviors of users to build models,and can discover insider threats caused by multiple behaviors.The algorithm uses a OC-NN specifically for anomaly detection to user behavior analytics,and improves the AUC score of the algorithm.This algorithm establishes the behavior model of users and roles,and solves the disadvantage that existing users cannot perform insider threat detection when they only build user behavior models.The algorithm integrates the prediction results of the user behavior model and the role behavior model,further improving the AUC score of the algorithm.(2)An entity behavior analytics algorithm based on few-shot learning(FSL)is proposed.This algorithm solves the problem that the existing algorithm cannot work due to the change in the form of security events through the host behavior analytics.This algorithm improves the relation networks(RN)in FSL and is used for host behavior analytics,and solves the problem that existing algorithms require a large number of labeled samples for model training.This algorithm takes advantage of the strong generalization ability of RN,not only can identify unknown host behavior,but also can solve the problem of poor portability of existing algorithms.(3)Due to increasingly severe network security issues,network security administrators need to monitor the security status of the entire network in a comprehensive and real-time manner.Therefore,this thesis applies the user behavior analytics algorithm based on one-class neural network and the entity behavior analytics algorithm based on few-shot learning to network security situational awareness(NSSA),and designs and implements a network security monitoring system.