Research On Insider Threat Detection Method Based On Machine Learning

In recent years,network security incidents caused by insider threat are increasing.And compared with external intruders,insider threat is more difficult to detect and often causes greater losses to enterprises or organizations.Therefore,insider threat detection has become a hot research direction of network security.However,there are still shortcomings in the current research:unbalanced data between abnormal users and normal users,resulting in low Recall rate of insider threat detection model.Deep learning algorithm is difficult to deal with data imbalance compared with machine learning algorithm due to its uninterpretability,but machine learning algorithm relies heavily on feature engineering.In view of the above problems,this thesis uses machine learning algorithm to study from the aspects of Feature Engineering and imbalance treatment.The main research work and innovation are as follows:(1)A feature selection method based on improved Ant Colony Algorithm is proposed.By using distance correlation coefficient and adding category label nodes,the algorithm improves the deficiency that the traditional Ant Colony Algorithm(ACO)can't reflect the nonlinear relationship between features and the correlation between features and category labels.(2)An insider threat detection method based on Geometric SMOTE(G-SMOTE)and BiasedSVM is proposed.This method extracts the characteristics of user behavior,and uses G-SMOTE algorithm to define a geometric region in the center of each abnormal user sample to generate abnormal user samples,so as to ensure the balance of normal and abnormal user categories in the training set;Different penalty factors are set by using the Biased-SVM algorithm to improve the weight of the model for abnormal users.(3)Based on CERT data set,this thesis verifies the effectiveness of G-SMOTE algorithm and Biased-SVM algorithm in unbalanced data processing;The insider threat detection method in this thesis is compared with other detection methods.The experimental results show that this method effectively improves the effect of insider threat detection.