Insider Threat Detection Model Based on LSTM-Attention

doi:10.3969/j.issn.1671-1122.2022.02.001

Abstract

Abstract:

Information materials are illegally leaked, copied and tampered by insider personnel, which often cause huge financial losses to governments and enterprises. In order to prevent information from being illegally stolen by insiders, an insider threat detection model ITDBLA based on LSTM-Attention was proposed. Firstly, the user’s behavior sequence, user behavior characteristics, role behavior characteristics and psychological data were extracted to describe the daily activities of users. Secondly, the long short-term memory (LSTM) network and the attention mechanism were used to learn the user’s behavior pattern, and calculate the deviation between the real behavior and the predicted behavior. Finally, multilayer perceptron was used to make comprehensive decisions based on these deviations to identify abnormal behaviors. Experimental results on the CERT insider threat dataset show that the proposed ITDBLA model achieves an AUC score of 0.964, which show a stronger ability to learn user activity patterns and detect abnormal behaviors.

Key words: LSTM, attention mechanism, user and entity behavior analysis, insider threat detection

CLC Number:

TP309

ZHANG Guanghua, YAN Fengru, ZHANG Dongwen, LIU Xuefeng. Insider Threat Detection Model Based on LSTM-Attention[J]. Netinfo Security, 2022, 22(2): 1-10.

Figures/Tables 14

References 24

[1]	LAN Caihui, LI Haifeng, YIN Shoulin, et al. A New Security Cloud Storage Data Encryption Scheme Based on Identity Proxy Re-encryption[J]. International Journal of Network Security, 2017, 19(5):804-810.
[2]	KABIR E, HU Jiankun, WANG Hua, et al. A Novel Statistical Technique for Intrusion Detection Systems[J]. Future Generation Computer Systems, 2018, 79(1):303-318. doi: 10.1016/j.future.2017.01.029 URL
[3]	WU Chi, SHUAI Junlan, LONG Tao, et al. Research on Detection Method of User Abnormal Operation Based on Linux Shell Commands[J]. Netinfo Security, 2021, 21(5):31-38.
	吴驰, 帅俊岚, 龙涛, 等. 基于Linux Shell命令的用户异常操作检测方法研究[J]. 信息网络安全, 2021, 21(5):31-38.
[4]	YAO Hailong, WANG Caifen, XU Qinbai, et al. A Distributed Biometric Authentication Protocol Based on Homomorphic Encryption[J]. Journal of Computer Research and Development, 2019, 56(11):2375-2383.
	姚海龙, 王彩芬, 许钦百, 等. 一种基于同态加密的分布式生物特征认证协议[J]. 计算机研究与发展, 2019, 56(11):2375-2383.
[5]	YE Xiaoyun, HONG S S, HAN M M. Feature Engineering Method Using Double-layer Hidden Markov Model for Insider Threat Detection[J]. International Journal of Fuzzy Logic and Intelligent Systems, 2020, 20(1):17-25. doi: 10.5391/IJFIS.2020.20.1.17 URL
[6]	TIAN Zhihong, LUO Chaochao, LU Hui, et al. User and Entity Behavior Analysis under Urban Big Data[J]. ACM Transactions on Data Science, 2020, 1(3):1-19.
[7]	GORKA S, JONATHAN C, NEIL M, et al. 2019 Market Guide for User and Entity Behavior Analytics[R]. USA: Gartner, G00349450, 2019.
[8]	DU Min, LI Feifei, ZHENG Guineng, et al. DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning[C]//ACM. 2017 ACM SIGSAC Conference on Computer and Communications Security, October 30-November 3, 2017, New York, USA. New York: ACM, 2017: 1285-1298.
[9]	GUO Yuanbo, LIU Chunhui, KONG Jing, et al. Study on User Behavior Profiling in Insider Threat Detection[J]. Journal on Communications, 2018, 39(12):141-150.
	郭渊博, 刘春辉, 孔菁, 等. 内部威胁检测中用户行为模式画像方法研究[J]. 通信学报, 2018, 39(12):141-150.
[10]	PAUL S, MISHRA S. LAC: LSTM Autoencoder with Community for Insider Threat Detection[C]//ACM. The 4th International Conference on Big Data Research (ICBDR’20), November 27-29, 2020, Tokyo, Japan. New York: ACM, 2020: 71-77.
[11]	BAO Haiyong, LU Rongxing, LI Beibei, et al. BLITHE: Behavior Rule-based Insider Threat Detection for Smart Grid[J]. IEEE Internet of Things Journal, 2015, 3(2):190-205.
[12]	MAVROEIDIS V, VISHI K, JOSANG A. A Framework for Data-driven Physical Security and Insider Threat Detection[C]//IEEE. 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), August 28-31, 2018, Barcelona, Spain. Piscataway: IEEE, 2018: 1108-1115.
[13]	LEGG P A, BUCKLEY O, GOLDSMITH M, et al. Automated Insider Threat Detection System Using User and Role-based Profile Assessment[J]. IEEE Systems Journal, 2017, 11(2):503-512. doi: 10.1109/JSYST.2015.2438442 URL
[14]	JAGIELSKI M, OPREA A, BIGGIO B, et al. Manipulating Machine Learning: Poisoning Attacks and Countermeasures for Regression Learning[C]//IEEE. 2018 IEEE Symposium on Security and Privacy (SP), May 20-24, 2018, San Francisco, CA, USA. Piscataway: IEEE, 2018: 204-221.
[15]	LIU Fei, LIM E T, LI Hongxiu, et al. Disentangling Utilitarian and Hedonic Consumption Behavior in Online Shopping: An Expectation Disconfirmation Perspective[J]. Information & Management, 2020, 57(3):100-123.
[16]	WEN Yu, WANG Weiping, MENG Dan. Mining User Cross-domain Behavior Patterns for Insider Threat Detection[J]. Chinese Journal of Computers, 2016, 39(8):1555-1569.
	文雨, 王伟平, 孟丹. 面向内部威胁检测的用户跨域行为模式挖掘[J]. 计算机学报, 2016, 39(8):1555-1569.
[17]	YU Hong, ZHANG Tiantian, CHEN Jiaxin, et al. Web Items Recommendation Based on Multi-view Clustering[C]//IEEE. 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), July 23-27, 2018, Tokyo, Japan. Piscataway: IEEE, 2018: 153-158.
[18]	LI Zhi, SONG Lipeng. Research on Internal Threat Detection Based on User Window Behavior[J]. Computer Engineering, 2020, 46(4):135-142, 150.
	李志, 宋礼鹏. 基于用户窗口行为的内部威胁检测研究[J]. 计算机工程, 2020, 46(4):135-142, 150.
[19]	SHASHANKA M, SHEN Minyi, WANG Jisheng. User and Entity Behavior Analytics for Enterprise Security[C]//IEEE. 2016 IEEE International Conference on Big Data (Big Data), December 5-8, 2016, Washington, DC, USA. Piscataway: IEEE, 2016: 1867-1874.
[20]	TEODORA S B, CAGLAYAN B, HAYTHAM A. DeepAD: A Generic Framework Based on Deep Learning for Time Series Anomaly Detectio[M]. Berlin: Springer, 2018: 577-588.
[21]	YUAN Fangfang, CAO Yanan, SHANG Yanmin, et al. Insider Threat Detection with Deep Neural Network[C]//Springer. International Conferenceon Computational Science(ICCS), June 11-13, 2018, Wuxi, China. Heidelberg: Springer, 2018: 43-54.
[22]	HOCHREITER S, SCHMIDHUBER J. Long Short-term Memory[J]. Neural Computation, 1997, 9(8):1735-1780. doi: 10.1162/neco.1997.9.8.1735 URL
[23]	GLASSER J, LINDAUER B. Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data[C]//IEEE. 2013 IEEE Security and Privacy Workshops, May 23-24, 2013, San Francisco, CA, USA. Piscataway: IEEE, 2013: 98-104.
[24]	LE D C, ZINCIR-HEYWOOD A N. Evaluating Insider Threat Detection Workflow Using Supervised and Unsupervised Learning[C]//IEEE. 2018 IEEE Security and Privacy Workshops, May 24, 2018, San Francisco, CA, USA. Piscataway: IEEE, 2018: 270-275.

特征	数据	描述
行为特征	logon.csv	登录总次数、登录总时长第一次/最后一次登录时间
	email.csv	工作/非工作时间发送的邮件数量接收内部、外部电子邮件数量邮件大小、附件数量
	http.csv	浏览网站总时间浏览不同类别网站的时间
	device.csv	USB连接总数工作/非工作时间连接USB数量
	file.csv	访问的文件数量访问的不同格式的文件数量

特征	数据	描述
序列特征	时间段内行为序列的序列数据	logon:1 Connect:2 Disconnect:3 http:4 email:5 logoff:6
角色特征	角色下所有用户的共同行为特征	同一角色下员工的行为特征的平均值
心理数据	大五人格特质	O开放性、C责任性、 E外倾性、A宜人性、 N情绪性

文件名	描述
LDAP	描述每个模拟用户的本体（角色、电子邮件部门、主管等）LDAP文件
device.csv	可移动设备(如USB硬盘)的连接和断开
email.csv	用户邮件的日志,包括邮件的接收、发送和大小等
file.csv	文件访问活动,包括文件打开、复制、写入、删除
http.csv	用户网页浏览、上传、下载
logon.csv	基于登录和注销计算设备的用户活动
psychometric.csv	为1000名模拟用户提供工作满意度变量

行为特征模型-LSTM	超参数设置
Input	Dim = 148
Reshape	Dim = (4,37)
LSTM	Units = 100
Activation	Function = tanh
LSTM	Units = 120
Activation	Function = tanh
Dense	Dim = 37
Activation	Function = relu

行为序列模型-Attention	超参数设置
Input	Dim = 132
Attention_vec: Dense	Dim = 132
Activation	Function = softmax
Multiply	Dim =[(None,132),(None,132)]
Dense	Dim = 33
Activation	Function = softmax