Reaearch On Insider Threat Detection Method Based On Deep Learning

At present,the Internet technology develops rapidly,insider threat has become an important hidden danger to destroy the security of enterprise information system.Insider threat refers to the threat that an individual with legal access rights poses to the organization.Current detection methods for internal threats mainly include shallow machine learning methods and deep learning methods.Traditional shallow machine learning algorithms require complex feature engineering and have limitations in the application of internal threat detection.For example,hidden markov algorithm is not suitable for processing long behavior sequences,graph clustering algorithm requires a large amount of memory consumption in processing massive data,and one-class support vector machine is inefficient in processing high-dimensional data.Therefore,the limitations of traditional machine learning algorithms lead to the gradual improvement of detection rate to the bottleneck.In recent years,the development of deep neural network brings new ideas to the problem of insider threat detection.Deep learning technology can extract multi-level features and fully reveal the internal relationship between features.The key of internal threat detection is to model the user's normal behavior and find the abnormal deviation from the normal behavior.User behavior can be regarded as long-term time series data.The short-short time memory network shows the ability to learn long-term sequence patterns under the condition of simplified feature engineering,which can discover the implicit behavior characteristics in internal user behavior and greatly improve the detection rate.However,the current modeling method of user behavior still remains in the single-step time series prediction,which ignores the randomness of user behavior and often leads to false positives.Moreover,some scholars proposed to use deep learning to extract features and then apply the shallow classification method for detection.This hybrid detection method is not conducive to the parameter optimization of neural network and classifier.In addition,some methods of insider threat detection ignore the particularity of insider threat detection and fail to make full use of the behavioral similarity of different roles in the company.Based on this,this paper proposes a user behavior modeling method based on multi-step time series prediction,and combines the one-class classifier for joint training to realize the one class deep classifier.Furthermore,multiple hyperspheres are trained according to role attributes based on user metadata,and the detection rate is further improved by optimizing the compound loss function.Specifically,it can be divided into the following three aspects:(1)Aiming at the problem of false alarm in single-step time series prediction,this paper proposes a behavior modeling method based on multi-step prediction,using neural network as feature extractor to model the user's behavior characteristics for a long time.Multi-step prediction refers to predicting the behavior of multiple time points according to the current input.That is,calculating the prediction error from a certain number of time points and optimizing at the same time in the training process.In addition,because the user behavior in a browser to access behavior accounted for the vast majority,according to user behavior type of imbalance problem,this paper proposes an unbalanced data training method based on the batch to modify the weight of each behavior,make it possess the same component in the process of training.Experimental results show that the accuracy of multi-step prediction for user behavior can reach over 90%.(2)Aiming at the sparsity problem of high-dimensional data and the parameter optimization problem of mixed detection mode,this paper adds the method of pooling dimension reduction on the basis of user behavior modeling,and proposes the method of joint training deep one class classifier to solve the anomaly detection task of this topic.In the process of training,by adding pooling layer to conduct aggregation statistics on features of different positions,the problem of high dimensional data sparsity is solved.Because the joint training of neural network and one class classifier dynamically updates the parameters in the way of iterative learning,the advantages of deep learning are fully utilized,and the recall rate of the training is improved by nearly 13% compared with the separate training.(3)Because the insider threat data set has the character of role correlation,this paper further put forward the deep one class classification method based on the role,combining with multiple user metadata training hypersphere,both in the process of the training of the network according to the current user behavior to predict its role,at the same time to make all data points to their subordinate role hypersphere as near as possible.By optimizing the compound loss function,the recall rate was further increased by about 8%.The experimental results on the internal user behavior data set of CERT show that the deep one class classification algorithm based on the long-short time memory network can be used to identify insider threats.Within the acceptable false alarm rate range,the recall rate can reach 92%,which is significantly better than the one class support vector machine and the isolated forest algorithm.