Research On Internal Threat Detection Base On Machine Learning

The leapfrog development of technology not only brings convenience to people's lives,but also brings security threats,both from external threats and from internal threats.Different security threats are to some extent harm the interests of people,how to weaken or even eliminate these threats is the researchers need to solve the problem.At present,the intrusion detection system is a more mature and effective way to solve the external invasion,as long as its reasonable configuration and use,you can achieve the effective prevention of external intrusion.However,the internal threat of the researchers have long been hot topic has not yet been effective solutions,the main reasons are the following two points: 1)It's not easy to be aware of internal legitimate user which are the initiator of dangerous activities.2)Threats occur less frequently but have a big impact.The threat of internal threats makes it possible for each occurrence to cause catastrophic damage to the user.In this thesis,based on the external threat model,this paper proposes a common detection framework for dealing with internal threats,and proposes two kinds of detection methods for the core component-internal threat detection module in the framework.The main contents of this paper are as follows:(1)Proposed an internal threat detection framework for machine learning.After analyzing the classic external intrusion detection model,we can see that the model has complete,universal and flexible three characteristics.In this paper,we propose an internal threat detection framework for machine learning under the premise of satisfying its characteristics.The main modules include the original data acquisition,data preprocessing,internal threat detection,threat response,log storage and other five modules,the core of the internal threat detection module,after the study are based on this module.(2)A method of detecting user behavior anomaly in enterprise network based on graph analysis and support vector machine is proposed.Internal threats in the final analysis can be seen as the threat of personnel in the internal network,how to detect the internal network of abnormal personnel is the key.In the fourth chapter,the author puts forward that the user authentication activity is transformed into the user authentication chart,and the users of the abnormal activity behavior are tested and identified by analyzing the graph and using the classical support vector machine algorithm in machine learning.This method combines the advantages of graph analysis and support vector machine,and it is proved that the detection effect is excellent.(3)Proposed a cluster analysis and classification "two-step" detection method to detect abnormal network users in the internal method.Existing anomaly user detection methods have a common drawback: treat all network users equally.But in fact the network users are hierarchical,for example,can be simply divided into special permissions of the administrator and no special authority of the ordinary users.Whether the access to the database,file operations or other,these two types of user behavior will be essentially different.In this regard,the fifth chapter of this article proposed a first clustering,and then classify such a "two-step" detection of the internal network of abnormal users.The first user clustering for the two categories: administrators and ordinary users,and then one of the types of users of abnormal behavior detection and identification.Experiments show that the method is feasible and effective.In summary,this paper applies the machine learning method to the internal threat detection,and proposes a common detection framework and two methods of detecting internal threats from the root.The experimental results show that the proposed method is feasible and effective for internal threat analysis and detection.Especially for the network within the staff of the abnormal detection,with practical significance.