Method of Insider Threat Detection Based on LSTM Regression Model

doi:10.3969/j.issn.1671-1122.2020.09.004

Abstract

Abstract:

The malicious behavior initiated by internal personnel will cause security threat to the enterprise, and there are difficulties in detection, such as fuzzy boundary, less sample data. This paper proposes an LSTM regression model, which outputs the prediction results of behavior sequence through regression analysis. Considering the otherness of variety users, the model learns the behavior mode of each user according to identify the user ID, and it is trained with updating sequence periodically, and then the difference between the predicted value and the actual value was taken as the abnormal score during test. This method can not only predict the users' behavior in next period, but also detect the abnormal behavior according to the normal behavior pattern learned, solving the problem of insufficient positive samples.

Key words: insider threat, user-behavior prediction, anomaly detection

CLC Number:

TP309

HUANG Na, HE Jingsha, WU Yabiao, LI Jianguo. Method of Insider Threat Detection Based on LSTM Regression Model[J]. Netinfo Security, 2020, 20(9): 17-21.

Figures/Tables 4

References 9

[1]	WANG Zhenhui, WANG Zhenduo, YAO Quanzhu. Insider Threat Detection Technology of Information System[J]. Computer System Applications, 2019,28(12):219-225.
	王振辉, 王振铎, 姚全珠. 信息系统内部威胁检测技术研究[J]. 计算机系统应用, 2019,28(12):219-225.
[2]	WANG Xuebin, TAN Qingfeng, SHI Jinqiao, et al. Insider Threat Detection Using Characterizing User Behavior[C]// IEEE. IEEE Third International Conference on Data Science in Cyberspace (DSC). July 1-21, 2018, Guangzhou China. New York: IEEE, 2018: 476-482.
[3]	GAVAI G, SRICHARM K, GUNNING D, et al. Supervised and Unsupervised Methods to Detect Insider Threat from Enterprise Social and Online Activity Data[J]. Journal of Wireless Mobile Netwroks, Ubiquitous Computing, and Dependable Applications. 2015,6(4):47-63.
[4]	GUO Yuanbo, LIU Chunhui, KONG Jing, et al. Study on User Behavior Profiling in Insider Threat Detection[J]. Journal of Communications, 2018,39(12):141-150.
	郭渊博, 刘春辉, 孔菁, 等. 内部威胁检测中用户行为模式画像方法研究[J]. 通信学报, 2018,39(12):141-150.
[5]	WANG Yifeng, GUO Yuanbo, LI Tao, et al. Method for Insider Threat Detection with Small Samples[J]. Journal of Chinese Computer System, 2019,40(11):2330-2336.
	王一丰, 郭渊博, 李涛, 等. 一种小样本下的内部威胁检测方法研究[J]. 小型微型计算机系统, 2019,40(11):2330-2336.
[6]	LI Haibin, LI Qi, TANG Ruming, et al. User Behavior Anomaly Detection for Database Based on Unsupervised Learning[J]. Journal of Chinese Computer System, 2018,39(11):2464-2472.
	李海斌, 李琦, 汤汝鸣, 等. 一种无监督的数据库用户行为异常检测方法[J]. 小型微型计算机系统, 2018,39(11):2464-2472.
[7]	LIU Yu, LUO Senlin, QU Lewei, et al. Full-features Information Equalization Modeling for insider Threat Detection[J]. Journal of Zhejiang University(Engineering Science), 2019,53(4):777-784.
	刘宇, 罗森林, 曲乐炜, 等. 全特征信息均衡建模的内部威胁人物检测[J]. 浙江大学学报(工学版), 2019,53(4):777-784.
[8]	TUOR A, BAERWOLF R, KNOWLES Nicolas, et al. Recurrent Neural Network Language Models for Open Vocabulary Event-Level Cyber Anomaly Detection[EB/OL]. http://arxiv.org/pdf/1712.00557, 2017:285-293, 2020-5-15.
[9]	MCMAHAN H.Brendan, HOLT Gary, SCULLEY David, et al. Ad Click Prediction: A View From the Trenches[C]// ACM. ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, August 8-10, 2013, Chicago, USA. New York: ACM, 2013: 1222-1230.

[1]	LU Jiali. Log Anomaly Detection Method Based on Improved Time Series Model [J]. Netinfo Security, 2020, 20(9): 1-5.
[2]	Wei WANG, Xudong SHEN. Research on Transfer Time Series Anomaly Detection Algorithm Based on Instance [J]. Netinfo Security, 2019, 19(3): 11-18.
[3]	Weichao YANG, Yuanbo GUO, Ya ZHONG, Shuaihui ZHEN. IoT Traffic Anomaly Detection Based on Device Type Identification and BP Neural Network [J]. Netinfo Security, 2019, 19(12): 53-63.
[4]	ZHU Haiqi, JIANG Feng. Research and Analysis of Anomaly Detection Technology for Operation and Maintenance Data in the Era of Artificial Intelligence [J]. Netinfo Security, 2019, 19(11): 24-35.
[5]	Hailian DENG, Yujing LIU, Yixuan GE, Jinshu SU. Research on Inter-domain Routing Anomaly Detection Technology [J]. Netinfo Security, 2019, 19(11): 63-70.
[6]	Wei LI, Xiaoxiao DI, Di WANG, Yunchun LI. Subgraph-based Network Behavior Models and Anomaly Detection for Server [J]. Netinfo Security, 2018, 18(2): 1-9.
[7]	Li HE, Yuanhui YAO. Detection and Recognition Strategy for Anomaly of Cloud Virtual Machine Based on Context Clustering [J]. Netinfo Security, 2018, 18(12): 54-65.
[8]	Gang ZHAO, Xingren YAO. Anomaly Detection Model Based on User Portrait [J]. Netinfo Security, 2017, 17(7): 18-24.
[9]	Xin WU, Yuesong YAN, Xiaoran LIU. Program Behavior Anomaly Detection Method Based on Improved HMM [J]. Netinfo Security, 2016, 16(9): 108-112.
[10]	XIANG Linbo, LIU Chuanyi. Key Technology Research and Implement on Insider Threat for Controlled Cloud Computing [J]. 信息网络安全, 2016, 16(3): 53-58.
[11]	Mingliang HE, Zemao CHEN, Jin ZUO. Cluster Anomaly Detection Algorithm Based on Multi-windows Mechanism [J]. Netinfo Security, 2016, 16(11): 33-39.
[12]	Jian TANG, Chun-lai SUN, Ke-feng MAO, Mei-ying JIA. Network Intrusion Anomaly Detection Model Based on Dimension Reduction Strategy Using Principal Component Analysis and Mutual Information [J]. Netinfo Security, 2015, 15(9): 78-83.
[13]	Ying-rui HE, Jing-ya WANG. Research of Insider Threats and Countermeasures under Cloud Service [J]. Netinfo Security, 2015, 15(8): 76-81.
[14]	Ling-yun LI, Ji AO, Zhi QIAO, Jian LI. Research on Security Event Real-time Monitoring Framework Based on Micro-blog [J]. Netinfo Security, 2015, 15(1): 16-23.