| Insider threat means that malicious people in an organization deliberately abuse their access privileges to the internal network,system and data of the organization to engage in some acts that endanger the security of the organization.Such behaviors are usually low-frequency,variable,and very covert,and thus cause great harm to the organization.This indirectly suggests that research on efficient,accurate and practical insider threat detection methods has great practical significance for reducing the harm caused by insider threat.At present,traditional methods are difficult to further improve their detection accuracy due to the problem of uneven data distribution and lack of sufficient label data in the field of insider behavioral threat detection,and the detection results cannot be associated with specific threat scenarios and lack interpretability.On this basis,a multi-scenario insider behavioral threat detection method is studied to improve the effectiveness of the detection method.At the same time,we provide security reference for organizations by building user profiles and mining the correlation between threat behaviors and users.The main research work is as follows:(1)Considering the current complex and changeable network environment,a hierarchical insider behavioral threat detection and user portrait construction model is constructed by referring to the current insider behavioral threat detection structure.The model is composed of data acquisition layer,data processing layer,insider behavior threat detection layer,user portrait construction layer and application layer from bottom to top,in which the insider behavior threat detection layer uses deep learning algorithm to detect threat behavior,and the user portrait layer constructs user portrait through clustering algorithm.Finally,the corresponding prototype system is implemented according to the constructed model,and its effectiveness is verified.(2)Due to the uneven distribution of insider threat detection data and the lack of label data,most detection methods only detect based on abnormal data,and the detection results cannot be related to the corresponding threat scenarios.Aiming at the above problems,an insider behavioral threat detection method based on prototypical network and Conditional Wasserstein Generative Adversarial Networks(CWGAN)was proposed.This method adopted a prototypical network to achieve a prototypical representation of the training data.Secondly,the CWGAN network was exploited to implement data augmentation for threat samples,increasing the diversity and discriminability of test data features.Finally,behavioral threat detection was realized by calculating the distance similarity between the test data and the prototype representation.In addition,Genetic Algorithm(GA)was employed to automatically optimize the parameters of the entire model.The experimental results confirmed that its detection performance and efficiency are improved to a certain extent compared with other similar methods.(3)Most of the research on insider threat focuses on behavioral anomaly detection,while little attention is paid to users themselves and their deep connection with threat behaviors.Existing research shows that user groups that engage in threatening behaviors often have similar personalities,environments,or work content,suggesting that co-supervision of user groups can effectively prevent the recurrence of specific behaviors.To this end,an internal user portrait construction method based on the improved Gaussian Mixture Model(GMM)was proposed.This method constructed the portrait label system by collecting the internal and attribute characteristics of users,then clustered similar users and constructed their user portrait through the improved GMM algorithm,and finally realized the common supervision of threat and potential threat user groups.The experimental results showed that its clustering accuracy is improved to some extent compared with other clustering algorithms. |
PDF Full Text Request