一种基于机器学习的内部威胁检测算法

Insider Threat Detection Algorithm Based on Machine Learning

网络空间的用户行为是不可预测的,恶意的内部攻击是对企业和政府机构最具破坏性的威胁之一。随着信息技术的迅猛发展,内网安全威胁越来越成为组织面临的重要挑战。现有的大多数入侵检测算法基于静态检测技术,难以检测隐蔽性高的内部攻击手段,同时也不具备灵活性和适应性,无法检测到网络流数据中用户行为的变化,因此在使用该类算法进行内网威胁分析时会出现误报率高、检测率低等问题。本文研究了一种基于机器学习的内部威胁检测算法,它包括数据收集、数据预处理以及数据分析3部分。其中数据分析阶段使用了逻辑回归(LR)、随机森林(RF)以及人工神经网络(ANN)来训练实验数据。实验表明,该算法可以从正常的和恶意的内部威胁中,以高精度检测到恶意内部威胁攻击以及恶意人员。本文提出的基于机器学习的内部威胁检测算法,可以辅助安全分析师分析内部威胁,提高内部威胁分析效率和精度,降低内部威胁分析成本,保护用户的资产安全。

With the rapid development of information technology,intranet security threats are becoming significant challenges for organization and enterprises.Most of existing intrusion detection algorithms are based on static detection technology,which is difficult to detect the insider attack means with high concealment.At the same time,they are not flexible and adaptable which cannot detect the change of user behavior in streaming data.Therefore,the problems of high false positive rate and low detection rate will occur when using this kind of algorithm for insider threat analysis.This paper propose an insider threat detection algorithm based on machine learning,which includes three parts:data collection,data preprocessing and data analysis.In the data analysis stage,logistic regression(LR),random forest(RF) and artificial neural network(ANN) are used to train experimental data.Experiments shows that this algorithm can detect malicious insider threat attacks and malicious people with high accuracy from both normal and malicious insider threats.The insider threat detection algorithm based on machine learning can assist security analysts to analyze the intranet threat,improve the efficiency and accuracy of the insider threat analysis,reduce the cost of the insider threat analysis,and protect the security of user's asset.