Research On User Behavior Anomaly Detection Method For Zero Trust

With the development of information technology,Cyberspace Security has become an important issue of the country and society.The Cyberspace Security System based on zerotrust security architecture has gradually become the main solution.The zero-trust secure access mode implements dynamic access control for the whole process of user access and carries out the whole life cycle governance of security trust.User behavior anomaly detection based on multi-source log data can be used as a trust engine to provide an important basis for dynamic judgment of network security.Therefore,aiming at the security protection of enterprise network information service system,this thesis carries out the research on the key technologies of user behavior anomaly detection in the zero-trust security system to solve the key problems of data processing,feature extraction and anomaly detection algorithm of user behavior analysis and anomaly detection in the zero-trust network security architecture,helping enterprises find network information security threats with low cost and high efficiency.So it has important practical value for implementing zero-trust secure access.The research contents and contributions of this thesis are as follows:(1)For the user behavior feature extraction based on multi-source log data,the access strategies for different business systems in the enterprise are different,so that the collected user behavior logs are very different,and the user behavior feature extraction methods for specific logs can not be widely used.On the other hand,the existing methods only focus on the user behavior type information,and anomaly detection is carried out weekly or daily,This has a great impact on the results of anomaly detection.According to the idea of zerotrust,this thesis considers the type of network user behavior and the time information of fine-grained behavior to correlate and process multi-source logs to analyze the normal user behavior habits offline,using word2 vec to transform it into feature vector to learn the semantic information of behavior,so as to accurately extract the characteristics of user behavior.(2)For the issue of improving the performance of anomaly detection algorithm,the current anomaly detection methods directly model the user’s normal behavior information explicitly,resulting in useless user behavior information or great deviation in user behavior modeling,which makes the algorithm performance of anomaly detection unsatisfactory.In this thesis,we propose an anomaly detection algorithm based on recurrent convolution neural network,comparing with this algorithm,and design three algorithms to learn the normal behavior model of network users to divide user behavior into normal and abnormal.The Cert dataset are used to carry out experimental comparison and analysis.The test results are up to 98%compared with the previous anomaly detection model on AUC score,which shows that the algorithm has certain advanced nature.(3)There is no relevant research and solution for the application of user behavior anomaly detection technology for zero-trust network security system.This thesis proposes a zero-trust security access solution for data center to improve the active defense ability of network security access,and builds a zero-trust security system based on the existing achievements of the internship company,which proves the feasibility.