信息网络安全 ›› 2020, Vol. 20 ›› Issue (9): 17-21.doi: 10.3969/j.issn.1671-1122.2020.09.004

• 入选论文 • 上一篇    下一篇

基于LSTM回归模型的内部威胁检测方法

黄娜1,2(), 何泾沙2, 吴亚飚1, 李建国1   

  1. 1. 北京天融信科技有限公司,北京 100085
    2. 北京工业大学,北京 100124
  • 收稿日期:2020-07-16 出版日期:2020-09-10 发布日期:2020-10-15
  • 通讯作者: 黄娜 E-mail:huang_na@topsec.com.cn
  • 作者简介:黄娜(1990—),女,山东,工程师,博士,主要研究方向为机器学习、信息与网络安全|何泾沙(1961—),男,陕西,教授,博士,主要研究方向为计算机与网络安全、无线传感器网络、数字取证|吴亚飚(1971—),男,福建,高级工程师,本科,主要研究方向为网络安全|李建国(1964—),男,山东,高级工程师,硕士,主要研究方向为物联网安全、应用密码学、机器学习与网络安全

Method of Insider Threat Detection Based on LSTM Regression Model

HUANG Na1,2(), HE Jingsha2, WU Yabiao1, LI Jianguo1   

  1. 1. Beijing TopSec Science & Technology Inc., Beijing 100085, China
    2. Beijing University of Technology, Beijing 100124, China
  • Received:2020-07-16 Online:2020-09-10 Published:2020-10-15
  • Contact: Na HUANG E-mail:huang_na@topsec.com.cn

摘要:

内部人员发起的恶意行为会对企业造成安全威胁,这一威胁存在界限模糊、样本数据较少等检测难点。文章提出一种 LSTM(Long Short Term Memory)回归模型,通过对时间序列的回归分析,输出对用户行为序列的预测。考虑到不同用户间的差异性,根据用户ID区别学习每个用户的行为模式,使用更新的实时数据持续训练模型,在测试时将预测值与实际值的差异作为异常分数。该方法不仅能够实现对用户行为的预测,还能够依据学习到的正常行为模式检测异常行为,解决内部威胁正例样本不足的问题。

关键词: 内部威胁检测, 用户行为预测, 异常检测

Abstract:

The malicious behavior initiated by internal personnel will cause security threat to the enterprise, and there are difficulties in detection, such as fuzzy boundary, less sample data. This paper proposes an LSTM regression model, which outputs the prediction results of behavior sequence through regression analysis. Considering the otherness of variety users, the model learns the behavior mode of each user according to identify the user ID, and it is trained with updating sequence periodically, and then the difference between the predicted value and the actual value was taken as the abnormal score during test. This method can not only predict the users' behavior in next period, but also detect the abnormal behavior according to the normal behavior pattern learned, solving the problem of insufficient positive samples.

Key words: insider threat, user-behavior prediction, anomaly detection

中图分类号: