摘要
大多数操作系统的安全防护主要依赖基于签名或基于规则的方法,因此现有大多数的异常检测方法精度较低。因此,利用贝叶斯模型为同类群体建模,并结合时间效应与分层原则,为用户实体行为分析(User and Entity Behavior Analytics,UEBA)研究提供精度更高的数据集。然后,将基于实际记录的用户行为数据与贝叶斯层级图模型推测出的数据进行比较,降低模型中的误报率。该方法主要分为两个阶段:在第1阶段,基于数据驱动的方法形成用户行为聚类,定义用户的个人身份验证模式;在第2阶段,同时考虑到周期性因素和分层原则,并通过泊松分布建模。研究表明,数据驱动的聚类方法在减少误报方面能够取得更好的结果,并减轻网络安全管理的负担,进一步减少误报数量。
With the rapid development of network technology,the economic losses caused by cyber-attacks are expected to increase.The security protection of most operating systems mainly relies on signature-based or rule-based methods,resulting in low accuracy for most existing anomaly detection methods.To this end,Bayesian model is used to model the same kind of population,and the time effect and stratification principle are combined to provide a higher precision dataset for UEBA(User and Entity Behavior Analytics)research.Then,the user behavior data based on the actual record is compared with the data inferred by the Bayesian hierarchical graph model to reduce the false positive rate in the model.The method is divided into two stages:In the first stage,the user behavior cluster is formed based on the data-driven method,and the user’s personal identity authentication mode is defined;In the second stage,periodic factors and stratification principles are taken into account,and Poisson distribution is modeled.The research indicates that the data-driven clustering method can achieve better results in reducing false positives,alleviate the burden of network security management,and further reduce the number of false positives.
作者
李洪赭
江海涛
高艳苹
徐斯润
LI Hongzhe;JIANG Haitao;GAO Yanping;XU Sirun(No.30 Institute of CETC,Chengdu Sichuan 610041,China;Southwest Jiaotong University,Chengdu Sichuan 610031,China)
出处
《通信技术》
2024年第6期593-597,共5页
Communications Technology
基金
四川省科技计划项目(2021YJ0372)。
