基于CNN-LSTM算法的内部威胁检测方法

doi:10.3969/j.issn.1671-1122.2025.02.012

摘要/Abstract

摘要：

企业或组织面临的信息安全风险主要来自内部威胁，特别是内部人员的恶意行为，这类风险相较于外部攻击更具隐蔽性和难以检测性。为了更加准确地检测出企业或组织内部人员的恶意行为，文章基于用户行为日志分析，提出一种基于CNN-LSTM算法的内部威胁检测方法。该方法使用CMU CERT R4.2公开的内部威胁数据集构建用户行为特征序列，首先通过CNN层对用户行为进行重要特征提取，然后使用LSTM层进行用户行为预测，最后通过全连接层识别用户的行为是否为威胁行为。将文章所提出的模型与 CNN、LSTM、LSTM-CNN 等经典内部威胁检测模型进行了对比实验。实验结果验证了所提模型的可实现性，并且展现出其在内部威胁行为检测方面的优势。在评估指标中，该模型的AUC得分达到0.99。具体而言，实验表明采用 CNN-LSTM 算法进行内部威胁检测的方法能够显著降低误报率，准确率达到98% ，能够有效识别企业内部潜藏的威胁行为。

关键词: 内部威胁检测, 用户行为日志, CNN, LSTM

Abstract:

The primary information security risks encountered by enterprises and organizations stem from internal threats, particularly malicious behaviors by internal personnel. These risks are inherently more covert and difficult to detect compared to external attacks. To improve the accuracy of detecting malicious behaviors by internal personnel, this study proposed an insider threat detection model based on the CNN-LSTM algorithm, utilizing user behavior log analysis. The model leveraged the publicly available CMU CERT R4.2 insider threat dataset to construct sequences of user behavior features. In this model, a CNN layer was first employed to extract key features from user behavior data, followed by an LSTM layer to capture temporal dependencies and predict behavior patterns. Finally, a fully connected layer is used to determine whether the behavior constitutes a threat. Comparative experiments with CNN, LSTM, and LSTM-CNN models validate the feasibility and superior performance of the proposed model in detecting insider threats, achieving an AUC score of 0.99. The experimental results further demonstrate that the CNN-LSTM algorithm significantly reduces the false positive rate and achieves a detection accuracy of 98%, effectively identifying potential internal threats within organizations.

Key words: insider threat detection, user behavior logs, CNN, LSTM

中图分类号:

TP309

杨梦华, 易军凯, 朱贺军. 基于CNN-LSTM算法的内部威胁检测方法[J]. 信息网络安全, 2025, 25(2): 327-336.

YANG Menghua, YI Junkai, ZHU Hejun. CNN-LSTM Algorithm-Based Insider Threat Detection Model[J]. Netinfo Security, 2025, 25(2): 327-336.

图/表 11

图1

表1

图2

表2

表3

图3

图4

表4

表5

表6

表7

参考文献 22

[1]	Gurucul. 2024 Insider Threat Report[EB/OL]. (2024-09-19)[2024-12-01]. https://gurucul.com/2024-insider-threat-report/.
[2]	YANG Guang, MA Jiangang, YU Aimin, et al. Survey of Insider Threat Detection[J]. Journal of Cyber Security, 2016, 1(3): 21-36.
[3]	DING Zixuan, CHEN Guo. Internal Network Security Threat Detection Method Based on XGBoost Algorithm[J]. Journal of Jilin University (Information Science Edition), 2024, 42(2): 366-371.
	丁梓轩, 陈国. 基于XGBoost算法的内部网络安全威胁检测方法[J]. 吉林大学学报(信息科学版), 2024, 42(2):366-371.
[4]	LU Gaole, ZHANG Huixiang, LIU Tianluo, et al. Experimental Evaluation of Insider Threat Detection Methods Based on Temporal Representation[C]// IEEE. 2022 IEEE 10th International Conference on Information, Communication and Networks (ICICN). New York: IEEE, 2022: 682-688.
[5]	PADMAVATHI G, SHANMUGAPRIYA D, ASHA S. A Framework to Detect the Malicious Insider Threat in Cloud Environment Using Supervised Learning Methods[C]// IEEE. 2022 9th International Conference on Computing for Sustainable Global Development (INDIACom). New York: IEEE, 2022: 354-358.
[6]	HAIDAR D, GABER M M. Data Stream Clustering for Real-Time Anomaly Detection: An Application to Insider Threats[EB/OL]. (2018-11-28)[2024-12-01]. https://doi.org/10.1007/978-3-319-97864-2_6.
[7]	LE D C, ZINCIR-HEYWOOD N. Anomaly Detection for Insider Threats Using Unsupervised Ensembles[J]. IEEE Transactions on Network and Service Management, 2021, 18(2): 1152-1164.
[8]	PREETAM P, PRATIK C, MAYANK S. Temporal Feature Aggregation with Attention for Insider Threat Detection from Activity Logs[EB/OL]. (2023-08-15)[2024-12-01]. https://www.sciencedirect.com/science/article/pii/S0957417423004268.
[9]	ZHANG Guanghua, YAN Fengru, ZHANG Dongwen, et al. Internal Threat Detection Model Based on LSTM-Attention[J]. Netinfo Security, 2022, 22(2): 1-10.
	张光华, 闫风如, 张冬雯, 等. 基于LSTM-Attention的内部威胁检测模型[J]. 信息网络安全, 2022, 22(2):1-10.
[10]	BALARAM S, PRABHAT P, BASANTA J. User Behavior Analytics for Anomaly Detection Using LSTM Autoencoder-Insider Threat Detection[EB/OL]. (2020-07-03)[2024-12-01]. https://doi.org/10.1145/3406601.3406610.
[11]	SUN Degang, LIU Meichen, LI Meimei, et al. DeepMIT: A Novel Malicious Insider Threat Detection Framework Based on Recurrent Neural Network[C]// IEEE. 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design (CSCWD). New York: IEEE, 2021: 335-341.
[12]	WANG Yifeng, GUO Yuanbo, LI Tao, et al. Research on Internal Threat Detection Method Under Small Sample Size[J]. Journal of Chinese Computer Systems, 2019, 40(11): 2330-2336.
	王一丰, 郭渊博, 李涛, 等. 一种小样本下的内部威胁检测方法研究[J]. 小型微型计算机系统, 2019, 40(11):2330-2336.
[13]	GAYATHRI R G, SAJJANHAR A, YONG Xiang. Image-Based Feature Representation for Insider Threat Classification[EB/OL]. (2020-07-15)[2024-12-01]. https://www.mdpi.com/2076-3417/10/14/4945.
[14]	ANJU A, KRISHNAMURTHY M. M-EOS: Modified-Equilibrium Optimization-Based Stacked CNN for Insider Threat Detection[J]. Wireless Networks, 2024, 30: 2819-2838.
[15]	YUAN Fangfang, CAO Yanan, SHANG Yanmin, et al. Insider Threat Detection with Deep Neural Network[C]// Springer. Computational Science-ICCS 2018. Heidelberg: Springer, 2018: 43-54.
[16]	SINGH M, MEHTRE B M, SANGEETHA S. User Behavior Profiling Using Ensemble Approach for Insider Threat Detection[C]// IEEE. 2019 IEEE 5th International Conference on Identity, Security, and Behavior Analysis (ISBA). New York: IEEE, 2019: 1-8.
[17]	MORI H, KOBAYASHI H. Optimal Fuzzy Inference for Short-Term Load Forecasting[C]// IEEE. Proceedings of Power Industry Computer Applications Conference. New York: IEEE, 1995: 312-318.
[18]	LIU Yiqing, CHEN Xinfang. Research on Power Consumption Prediction Based on CNN+LSTM Hybrid Model[J]. Computer & Telecommunication, 2023(7): 65-69.
	刘义卿, 陈新房. 基于CNN+LSTM混合模型的电力消耗预测研究[J]. 电脑与电信, 2023(7):65-69.
[19]	GLASSER J, LINDAUER B. Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data[C]// IEEE. 2013 IEEE Security and Privacy Workshops. New York: IEEE, 2013: 98-104.
[20]	PANTELIDIS E, BENDIAB G, SHIAELES S, et al. Insider Threat Detection Using Deep Autoencoder and Variational Autoencoder Neural Networks[C]// IEEE. 2021 IEEE International Conference on Cyber Security and Resilience (CSR). New York: IEEE, 2021: 129-134.
[21]	KAREV D, MCCUBBIN C, VAULIN R. Cyber Threat Hunting through the Use of an Isolation Forest[C]// ACM. CompSysTech’17: Proceedings of the 18th International Conference on Computer Systems and Technologies. New York: ACM, 2017: 163-170.
[22]	LE D C, ZINCIR-HEYWOOD N. Exploring Anomalous Behaviour Detection and Classification for Insider Threat Identification[EB/OL]. (2020-03-24)[2024-12-01]. https://doi.org/10.1002/nem.2109.

符号	定义
$S=\{{{s}_{1}},{{s}_{2}},\cdots,{{s}_{m}}\}$	内部人员集合，其中${{s}_{i}}$表示某一个内部用户，$m$为内部用户的总数
$X_{S}^{m}=\{{{x}_{1}},{{x}_{2}},\cdots,{{x}_{k}}\}$	用户行为特征序列集合，$k$为特征总数，每个特征${{x}_{i}}(i\in \{1,2,\cdots,k\})$ 表示某一个具体用户的行为属性
$N$	输入数据的批量大小，模型训练迭代中处理的样本数量，在本文实验中，批量大小设置为64
$T$	时间步长，表示输入数据中每个样本包含的时间序列长度，为了捕捉用户行为的时序依赖关系，本文将时间步长T设置为5，表示每个输入样本包含连续5天的用户行为数据

数据类型	内容描述	日志条数/条	备注
logon	用户登录/登出活动	845860	任何特定用户的平均习惯每天都保持一致。一些用户会在非工作时间登录，大多数不会
device	用户使用拇指驱动器活动	405381	用户每天使用拇指驱动器的次数是正常的/平均的
http	用户访问网页获得	28434424	URL中的单词通常与网页主题相关

特征类型	特征编号	特征
Logon	${{x}_{1}}\sim {{x}_{16}}$	每个时间段内用户登录/登出的次数，全天内用户登录/登出的总次数，全天内用户登录/登出的最早/最晚时间，工作时间内用户登录/登出的最早/最晚时间，非工作时间内用户登录/登出的最早/最晚时间
device	${{x}_{17}}\sim {{x}_{32}}$	每个时间段内用户使用可移动设备连接/断开的次数，全天内用户使用可移动设备连接/断开的总次数，全天内用户使用可移动设备连接/断开的最早/最晚时间，工作时间内用户使用可移动设备连接/断开的最早/最晚时间，非工作时间内用户使用可移动设备连接/断开的最早/最晚时间
http	${{x}_{32}}\sim {{x}_{41}}$	每个时间段内用户访问可疑网站的次数，全天内用户访问可疑网站的总次数，全天内用户访问可疑网站的最早/最晚时间，工作时间内用户访问可疑网站的最早/最晚时间，非工作时间内用户访问可疑网站的最早/最晚时间，非工作时间内用户上传文件到可疑网站的次数

模型类别	主要参数	取值
CNN	学习率	0.001
	卷积核个数	32
	卷积核大小	2、3、4
	池化核大小	2x2
	优化函数	Adam
	激活函数	ReLU
	Dropout	0.5
	Dense 单元数	1
	Dense 激活函数	Sigmoid
LSTM	学习率	0.001
	隐藏层神经元数量	128
	LSTM 隐藏层数量	1
	优化函数	Adam
	Dropout	0.5
	Dense 单元数	1
	Dense 激活函数	Sigmoid
CNN-LSTM	学习率	0.001
	卷积核个数	32
	卷积核大小	2、3、4
	池化核大小	2x2
	优化函数	Adam
	Dropout	0.5
	Dense 单元数	1
	Dense 激活函数	Sigmoid

算法	准确率	精确度	召回率
Autoencoder^[20]	92.00%	96.00%	96.00%
DNN^[21]	96.00%	—	—
Random forest^[22]	98.00%	99.32%	93.00%
LSTM-RNN^[11]	94.70%	—	95.90%
CNN-LSTM（本文）	98.00%	99.00%	95.00%