摘要
内部人员发起的恶意行为会对企业造成安全威胁,这一威胁存在界限模糊、样本数据较少等检测难点。文章提出一种 LSTM(Long Short Term Memory)回归模型,通过对时间序列的回归分析,输出对用户行为序列的预测。考虑到不同用户间的差异性,根据用户ID区别学习每个用户的行为模式,使用更新的实时数据持续训练模型,在测试时将预测值与实际值的差异作为异常分数。该方法不仅能够实现对用户行为的预测,还能够依据学习到的正常行为模式检测异常行为,解决内部威胁正例样本不足的问题。
The malicious behavior initiated by internal personnel will cause security threat to the enterprise,and there are difficulties in detection,such as fuzzy boundary,less sample data.This paper proposes an LSTM regression model,which outputs the prediction results of behavior sequence through regression analysis.Considering the otherness of variety users,the model learns the behavior mode of each user according to identify the user ID,and it is trained with updating sequence periodically,and then the difference between the predicted value and the actual value was taken as the abnormal score during test.This method can not only predict the users'behavior in next period,but also detect the abnormal behavior according to the normal behavior pattern learned,solving the problem of insufficient positive samples.
作者
黄娜
何泾沙
吴亚飚
李建国
HUANG Na;HE Jingsha;WU Yabiao;LI Jianguo(Beijing TopSec Science&Technology Inc.,Beijing 100085,China;Beijing University of Technology,Beijing 100124,China)
出处
《信息网络安全》
CSCD
北大核心
2020年第9期17-21,共5页
Netinfo Security
关键词
内部威胁检测
用户行为预测
异常检测
insider threat
user-behavior prediction
anomaly detection
