基于业务过程挖掘的内部威胁检测系统

doi:10.11959/j.issn.1000-436x.2016265

摘要/Abstract

摘要：

当前的入侵检测系统更多针对的是外部攻击者，但有时内部人员也会给机构或组织的信息安全带来巨大危害。现有的内部威胁检测方法通常未将人员行为和业务活动进行结合，威胁检测率有待提升。从内部威胁的实施方和威胁对系统业务的影响这2个方面着手，提出基于业务过程挖掘的内部威胁检测系统模型。首先通过对训练日志的挖掘建立系统业务活动的正常控制流模型和各业务执行者的正常行为轮廓，然后在系统运行过程中将执行者的实际操作行为与预建立的正常行为轮廓进行对比，并加以业务过程的控制流异常检测和性能异常检测，以发现内部威胁。对各种异常行为进行了定义并给出了相应的检测算法，并基于ProM平台进行实验，结果证明了所设计系统的有效性。

关键词: 内部威胁, 过程挖掘, 行为轮廓, 异常检测

Abstract:

Current intrusion detection systems are mostly for detecting external attacks,but sometimes the internal staff may bring greater harm to organizations in information security.Traditional insider threat detection methods of-ten do not combine the behavior of people with business activities,making the threat detection rate to be improved.An insider threat detection system based on business process mining from two aspects was proposed,the implementation of insider threats and the impact of threats on system services.Firstly,the normal control flow model of business ac-tivities and the normal behavior profile of each operator were established by mining the training log.Then,the actual behavior of the operators was compared with the pre-established normal behavior contours during the operation of the system,which was supplemented by control flow anomaly detection and performance anomaly detection of business processes,in order to discover insider threats.A variety of anomalies were defined and the corresponding detection algorithms were given.Experiments were performed on the ProM platform.The results show the designed system is effective.

Key words: insider threat, process mining, behavior profile, anomaly detection

朱泰铭,郭渊博,琚安康,马骏. 基于业务过程挖掘的内部威胁检测系统[J]. 通信学报, 2016, 37(Z1): 180-188.

Tai-ming ZHU,Yuan-bo GUO,An-kang JU,Jun MA. Business process mining based insider threat detection system[J]. Journal on Communications, 2016, 37(Z1): 180-188.

图/表 7

图1

图2

图3

表1

表2

表3

表4

参考文献 18

[1]	PARVEEN P , THURAISINGHAM B . Unsupervised incremental sequence learning for insider threat detection[C]//2012 IEEE Interna-tional Conference on Intelligence and Security Informatics (ISI). 2012:141-143.
[2]	AALST W M P , MEDEIROS A K A . Process mining and security:detecting anomalous process executions and checking process con-formance[J]. Electronic Notes in Theoretical Computer Science, 2005,121:3-21.
[3]	AALST W , WEIJTERS T , MARUSTER L . Workflow mining:Dis-covering process models from event logs[J]. IEEE Transactions on Knowledge and Data Engineering, 2004,16(9):1128-1142.
[4]	WEN L , WANG J , SUN J . Detecting implicit dependencies between tasks from event logs[J]. Frontiers of WWW Research and Develop-ment-APWeb 2006, 2006:591-603.
[5]	WEIJTERS A , RIBEIRO J T S . Flexible heuristics miner (FHM)[C]//2011 IEEE Symposium on Computational Intelligence and Data Min-ing (CIDM). 2011:310-317.
[6]	WEIJTERS A J M M , VAN der AALST W M P . Rediscovering work-flow models from event-based data using little thumb[J]. Integrated Computer-Aided Engineering, 2013,10(2):151-162.
[7]	DONGEN B F , AALST W M P . Multi-phase process mining:Aggre-gating instance graphs into EPCs and Petri nets[C]//PNCWB 2005 Workshop. 2015:35-58.
[8]	VAN DONGEN B F , VAN der AALST W M P . Multi-phase process mining:Building instance graphs[C]//Conceptual Modeling-ER 2004. 2004:362-376.
[9]	DE MEDEIROS A K A , WEIJTERS A . Genetic process mining[C]//26th International Conference on Applications and Theory of Petri Nets. 2005.
[10]	AALST W M P , DONGEN B F , GüNTHER C W , et al. ProM:the process mining toolkit[J]. BPM (Demos), 2009,489:31.
[11]	ANDERSON R H , BOZEK T , LONGSTAFF T , et al. Research on mitigating the insider threat to information systems-# 2[R]. Rand Na-tional Defense Research Inst Santa Monica CA, 2000.
[12]	SPITZNER L . Honeypots:catching the insider threat[C]//19th Com-puter Security Applications Conference. 2003:170-179.
[13]	HU N , BRADFORD P G , LIU J . Applying role based access control and genetic algorithms to insider threat detection[C]//The 44th Annual Southeast Regional Conference. 2006:790-791.
[14]	BISHOP M , ENGLE S , PEISERT S , et al. We have met the enemy and he is us[C]//The 2008 Workshop on New Security Paradigms. 2009:1-12.
[15]	GREITZER F L , FRINCKE D A . Combining traditional cyber security audit data with psychosocial data:towards predictive modeling for in-sider threat mitigation[C]//Insider Threats in Cyber Security. 2010:85-113.
[16]	BRDICZKA O , LIU J , PRICE B , et al. roactive insider threat detec-tion through graph learning and psychological context[C]//2012 IEEE Symposium on Security and Privacy Workshops (SPW). 2012:142-149.
[17]	PARVEEN P , EVANS J , THURAISINGHAM B , et al. Insider threat detection using stream mining and graph mining[C]//2011 IEEE Third International Conference on Privacy,Security,Risk and Trust (PAS-SAT) and 2011 IEEE Third Inernational Conference on Social Com-puting (SocialCom). 2011:1102-1110.
[18]	BURATTIN A , SPERDUTI A . PLG:a framework for the generation of business process models and their execution logs[C]//Business Process Management Workshops. 2011:214-219.

案例编号	事件平均数量	角色数量	执行者数量	注入异常情况	恶意执行者数量
1	574	3	7	5 OCA,2 LA	1
2	1 227	3	9	9 OCA,3 OFA,3 LA,3 TIA	1
3	2 072	4	12	13 OCA,5 OFA,5 LA,4 MA	2
4	3 356	4	14	16 OCA,7 OFA,2 FA	2
5	5 184	5	18	21 OCA,12 OFA,6 LA	3

案例编号	异常报警情况
1	5 OCA,1 LA
2	9 OCA,4 OFA,3 LA,2 TIA
3	14 OCA,4 OFA,4 LA,4 MA
4	16 OCA,8 OFA,3 FA
5	22 OCA,12 OFA,7 LA

案例编号	准确率	召回率	F₁分数
1	100%	85.7%	92.3%
2	94.4%	94.4%	94.4%
3	96.2%	92.6%	94.4%
4	92.6%	100%	96.2%
5	92.7%	97.4%	95.0%

角色编号	执行者数量	类簇数量	离群点数量
1	3	2	1
2	4	1	0
3	5	2	1
4	3	1	0
5	3	2	1