摘要
检测数据库内部合法用户的异常行为,对防范内部攻击和数据泄露具有重要意义,然而面临如下挑战:攻击模式不确定,真实异常样例少,数据集缺少准确标注.人工设定阈值和规则难以有效应对复杂多样的异常.本文提出了一种基于无监督学习的用户行为异常检测方法,通过划定时间窗口统计提取特征,运用核密度估计算法分别从单维度、多维度建模,实现在海量的无标注历史日志中发现简单异常和复杂异常、在新的线上数据中检测异常.真实数据实验表明,该方法能够有效检测出简单异常,实验中检测三种简单异常的平均严格查准率和宽松查准率分别达90%和100%;能够从多维度找出存在攻击嫌疑的复杂异常,实验中成功检测出了一种单维度无法检测出的新的复杂异常.
Detecting anomalous behaviors of legal internal users is of great significance for guarding against insider attack and preventing data leakage.However,challenges exist:uncertainty of attack strategies,lack of real anomaly cases and accurately labeled data,etc.Human-defined thresholds and basic rules are not enough for detecting complex and various anomalies.This paper proposes a method for user behavior anomaly detection based on unsupervised learning,aiming to effectively discover both simple and complex anomalies in unlabeled massive history log and detect anomalous behavior in new online data,by applying Kernel Density Estimation to single dimension and multiple dimensions respectively.Experiments on real data show that this method can detect simple anomalies in single dimension with an average strict precision of 90% and relaxed precision of 100%,and successfully discover a hidden complex anomaly in multiple dimensions which can not be detected by single dimension approach.
作者
李海斌
李琦
汤汝鸣
吴珺
吕志远
裴丹
史俊杰
董旭
房双德
杨一飞
吴烨
LI Hai-bin;LI Qi;TANG Ru-ming;WU Jun;LV Zhi-yuan;PEI Dan;SHI Jun-jie;DONG Xu;FANG Shuang-de;YANG Yi-fei;WU Ye(Department of Computer Science and Technology,Tsinghua University,Beijing 100084,China;Baidu,Beijing 100085,China)
出处
《小型微型计算机系统》
CSCD
北大核心
2018年第11期2464-2472,共9页
Journal of Chinese Computer Systems
基金
国家自然科学基金项目(61472214)资助
关键词
无监督学习
数据库
用户行为
异常检测
内部数据泄露
unsupervised learning
database
user behavior
anomaly detection
insider data leakage
