Analysis And Detection Of User Malicious Behavior Based On Deep Learning

Because the internal users of the network system are familiar with the internal network structure and have access to network resources,their threat behavior is hidden in the normal behavior and difficult to be identified.The consequences of their attacks are even much stronger than external attacks,which also makes the internal threat one of the most challenging problems in the field of anomaly detection in recent years.The existing internal threat detection algorithms have the problems of high false positive rate,limited accuracy,large demand for samples and incomplete feature selection,and ignore the impact of similarity between users on threat attacks.Based on deep learning,this paper studies the malicious behavior of users,aiming to improve the accuracy and comprehensiveness of internal user behavior detection.In the process,combining the user’s business logic and the details of the user’s own behavior,and the influence between similar user behavior,their own historical behavior and the user’s behavior,screening out more threatening groups,users and behaviors,and With the deepening of screening can Effectively improve the efficiency of anomaly detection and effectively distinguish malicious behaviors.The main research work is as follows:1.Combine the user’s business work data,such as department,group,work function and other business data with the user’s psychological characteristic data,and K-Means algorithm is used to cluster users,so as to gather the users with high similarity into one category,and effectively screen out the "high-risk" user groups,which are more likely to perform malicious acts.2.The Long Short-Term Memory model is used to train the user’s own behavior and its historical behavior data,the user’s own behavior and its similar user behavior data,and the two parts of the scores obtained from the model training results are linearly combined.The combined model has higher accuracy than the single model,which provides a strong basis for screening abnormal users.3.In order to build the characteristics of each behavior,the data of category and frequency of users’ multi domain behavior are Integrated,and the specific information in text data is extracted and classified by using natural language processing method,which includes but not limited to user position,behavior category,behavior frequency and other information.According to these characteristics,the Graph Convolutional Networks model is used to classify user behavior and effectively distinguish malicious behavior.