摘要
行为画像技术利用无标注历史数据构建用户行为"常态",是检测企业内部威胁的有效手段。当前标签式画像方法依赖人工提取特征,多用简单统计方法处理数据,导致用户画像模型缺少细节、不够全面。提出了一种行为特征自动提取和局部全细节行为画像方法,以及一种行为序列划分和全局业务状态转移预测方法,能够较全面地刻画用户行为模式。构建了一个基于行为画像的内部威胁检测框架,将局部描写与全局预测相结合,提高了检测准确率。最后用CMU-CERT数据集进行了实验,AUC(area under curve)得分0.88,F1得分0.925,可有效应用于内部威胁检测过程中。
Behavior profiling technic using no-labeled historical data to build normal behavior model is an effective way to detect insider attackers.The state-of-the-art labeled profile methods extract features artificially and process data by simple statistical methods,whose incomplete behavior model lacks details.An automated feature extracting and full-detail behavior profiling method as well as a behavior sequence splitting and business state transition predicting way was proposed.Combining above two methods,an insider threats detection framework was established,which improved detection accuracy.Experimenting with CMU-CERT data set,AUC(area under curve)score was 0.88 and F1 score was 0.925.With the better performance,it can be used in detecting insider threats.
作者
郭渊博
刘春辉
孔菁
王一丰
GUO Yuanbo;LIU Chunhui;KONG Jing;WANG Yifeng(Cryptography Engineering Institute,Information Engineering University,Zhengzhou 450001,China;Unit 61213 of The Chinese People's Liberation Army,Linfen 041000,China)
出处
《通信学报》
EI
CSCD
北大核心
2018年第12期141-150,共10页
Journal on Communications
基金
国家自然科学基金资助项目(No.61602515
No.61501515)~~
关键词
行为序列
画像提取
内部威胁
隐马尔可夫模型
behavior sequence
profiling extraction
insider threat
hidden Markov model
