Insider Threat Behavior Detection Methods Based On Identity Authentication And Online Learning

Insider threats are threats caused by employees within the organization or other people who have access to the organization’s system and use their access rights to commit misconduct,such as launching network attacks,stealing sensitive information,and damaging the organization’s system.Insider threats pose a great threat to organizational system security because insider threat behavior is difficult to be detected and defended by traditional security protection measures,while causing huge economic losses to the organization.Currently,there are insufficient data sources and algorithms in the field of insider threat detection that cannot be adapted to new insider threat scenarios,making it difficult to implement insider threat detection algorithms in practice.This paper mainly studies the identity authentication method based on mouse operation behavior and the internal threat behavior detection method based on online learning.The main work of the paper is as follows:(1)An internal user identity authentication method based on Efficient Channel Attachment-Temporal Convolutional Network(ECA-TCN)is proposed.This method mainly uses ECA-TCN to automatically extract the characteristics of mouse operation behavior to provide effective input data for subsequent identity authentication.ECA-TCN can better capture the temporal dynamic characteristics of mouse operation behavior by combining the temporal convolution network with the attention mechanism to enhance attention to important features.Meanwhile,a One-Class Support Vector Machine(OCSVM)is constructed for each user to effectively distinguish the dynamic features of mouse operations of different users.Through comparison experiments,the results show that the AUC value of ECA-TCN is 0.96 better than other temporal algorithms,and the training time is less than LSTM and GRU,and the model parameters are less than FCN,indicating that the overall performance of ECA-TCN is better than other temporal algorithms,so it can be applied in the field of authentication to better secure the internal system.(2)An insider threat detection method(Passive Aggressive-Insider Threat Detection,PA-ITD)based on passive attack online learning algorithm is proposed.Since the traditional batch learning models are trained on static data sets,they cannot adapt to new data.Online learning models can adapt to new data in real time and adjust their detection criteria to the latest threat scenarios.Detection models for insider threat scenarios that have never been encountered before are able to learn their features in time without retraining the entire model,thus improving the transition of detection model deployment from experimental to real production environments.Through comparison experiments,the results show that PA-ITD can maintain stable AUC values even when encountering untrained insider threat scenarios,and the F1,Recall,FPR,and FNR values are better than those of other online learning algorithms,and thus can better adapt to the actual production environment.(3)An online detection system of internal threat behavior based on multi-data source fusion is designed。The system integrates ECA-TCN and PA-ITD algorithms,and consists of data acquisition module,data preprocessing module,feature extraction module,identity authentication module,internal threat behavior detection and update module,and alarm and manual feedback module from bottom to top.By fusing mouse behavior data with traditional insider threat behavior detection log data,and using online learning algorithms and manual feedback mode to detect abnormal behavior,the purpose of timely adapting to new scenarios of insider threats is achieved.