Research On Malicious Login Anomaly Detection Method Based On Host Log

Malicious login means that the attacker automatically enters the password into the host or website being attacked by some means,until the login is successful,and then the attacker can hijack the relevant data to achieve his own goals.With the advent of the information age,malicious landing attacks for the purpose of electronic fraud and information theft have caused great harm to organizations and individuals,and even national security because of their concealment and high risk.The host log collects user operation information and computerrelated event information.These data often record attackers' attack behavior.Log analysis has become an indispensable part of malicious login detection.With the advent of the big data era,the number of malicious login attacks has increased dramatically,and there are many types of logs.In addition,many detection models do not take into account the timing information in malicious login attacks,resulting in failure to detect and alarm in time.According to the appeal question,this thesis combines the attention mechanism and recurrent neural network to propose a network malicious login anomaly detection method based on deep learning.The main research content of this paper are: for different types of user operation logs,this paper proposes two encoding methods,word-level and char-level,to vectorize the log.The LSTM model is used to extract the characteristic information contained in the user operation day to identify the normal behavior in the user operation log,and the attention mechanism is used to make the model pay more attention to the characteristic information of the normal operation.At the same time,the redundant operation is filtered to obtain the user operation score.A threshold is set to determine whether the log stream is a malicious login,and feedback to the network administrator at the same time.The experimental data set of this paper uses the real data set of LANL,which is collected by Los Alamos National Laboratory on the internal network,and contains 1.6 billion real host events.The experimental results show that the method proposed in this paper can encode different user logs,the feature extraction accuracy is high,and the F1-Score of network malicious login anomaly detection reaches 97.6%.