Insider Threat Detection Based On User Behaviors

In recent years,insider attacks which include system damage,information theft,and electronic fraud have posed serious threats to the security of individuals,enterprises,and even countries.The key of insider threat detection is to model the normal behavior and determine the existence of insider threat by deviation from the model.At present,Machine learning is a common method for insider threat detection.However,the technology requires a series of complex feature engineering and has some certain limitations in practical application.To reduce the complexity of the model,most researchers ignore the temporal nature of user behavior and fail to identify insider attacks that lasting for a while.Besides,companies usually classify and store all user-generated behavioral data in different databases,so it is difficult to deal with large-scale heterogeneous log files and extract features which can reflect user behavior accurately.This paper analyzes the user's business operation behavior data and psychological data comprehensively.Moreover,the paper established insider threat detection models respectively.The main work of the paper is as follows:(1)To improve the fine-grained features of heterogeneous log data and reflect user behavior attributes accurately,the paper proposed a session-based full feature extraction method.Besides,Combining the feature method with variational autoencoder,the paper also proposed a new variational autoencoder(LVE)which is based on Long Short-term Memory.Considering the temporal nature of user behaviors,LSTM is adopted in the encoding and decoding model,the input is handled by the encoder to generate hidden variables,and restored as output through the hidden variables.The simulation results show that: compared with the isolated forest algorithm,the proposed method which makes full use of information in the process of model construction improves the recall rate.(2)To optimize the parameter selection of the DBSCAN algorithm,a density spatial clustering algorithm combining psychological data and attack threat(PD&AT-DBSCAN)is proposed in the paper.First,the PD&AT-DBSCAN algorithm clusters the psychological data of insider users,and then constructs the similarity matrix based on the k-nearest neighbor and set the optimistic parameters,thus improving the cluster accuracy.Simulation results show that: the PD&AT-DBSCAN algorithm is superior to the traditional DBSCAN algorithm in both ARI and NMI index.At last,the paper summarized the main work and look forward to the future.