Research On Internal Threat Detection And Early Warning Method

Because the internal users of the network system understand the network structure and security protocols,have access to network resources and its threats are difficult to identify,the consequences of their attacks are even far greater than those of external attacks,which has made internal threats an anomaly in recent years.One of the most challenging problems in the detection field.Existing insider threat detection algorithms have the problems of high false alarm rate,limited accuracy,large demand for samples,and seldom consider "human" as the main factor of insider threats.Ignoring the similarity between users has the effect of threatening attacks.influences.Based on this,the thesis conducts research on internal threat detection and early warning methods,aiming to improve the accuracy and comprehensiveness of internal user behavior detection;at the same time,through the portraits of users,the deep connections between users are discovered,and effective threat warning is realized.The research work is as follows:(1)Due to the increasing scale and dimensions of internal behavior data in the network,the internal threat detection model based on traditional machine learning methods has become increasingly complex and time-consuming.This paper designs an internal threat detection based on deep learning and user profile.Early warning model.The model is mainly divided into data collection layer,data preprocessing layer,internal threat detection layer,user profile layer,and internal threat warning layer.Among them,the internal threat detection layer and the early warning layer are the core of the model.The internal threat detection layer realizes the detection of abnormal behaviors of users;and the user profile layer realizes the clustering of users through the character attribute portrait,which is the follow-up internal threat warning.The layer provides the basis.Finally,a corresponding prototype system is designed based on the proposed model.(2)Most of the existing internal threat detection algorithms need to rely on a large amount of labeled data for training,and the setting of anomaly thresholds mostly relies on prior knowledge.The small amount of data and the high cost of manual labeling can easily lead to low model detection performance.In this paper,a user behavior detection method based on two-way generative confrontation network and maximum between-class variance method is proposed.This method first uses a two-way generative confrontation network to build a normal behavior model based on normal behavior data training,and then uses OTSU to automatically select an abnormal threshold according to the reconstruction error in the detection stage to achieve unsupervised abnormal detection of the user’s internal behavior.Through comparative experiments,the results show that the detection method has improved accuracy and recall rate,while greatly reducing the false alarm rate and the false alarm rate.(3)Since the main body of internal threats is "people",and people with similar personalities and similar environments often react similarly when facing emergencies,the existing internal threat detection often ignores the potential connection between abnormal users.As a result,it is impossible to early warning and prevent the recurrence of attack behaviors.Aiming at the internal characteristics of users,a user portrait method based on hierarchical clustering is proposed.This method carefully portrays the user’s psychology,personality,job information,etc.,forms a user attribute portrait,categorizes and forms a potentially high-risk user group.When abnormal users are detected,the supervision of the same group of users will be strengthened,and finally,the early warning of attack behavior will be realized.Experimental results show that this method can effectively reduce the probability of recurrence of the attack.