基于操作注意力和数据增强的内部威胁检测

doi:10.11959/j.issn.2096-109x.2023042

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (3): 102-112.doi: 10.11959/j.issn.2096-109x.2023042

基于操作注意力和数据增强的内部威胁检测

冯冠云, 付才, 吕建强, 韩兰胜

¹ 分布式系统安全湖北省重点实验室，湖北省大数据安全工程技术研究中心，湖北武汉 430074
² 华中科技大学网络空间安全学院，湖北武汉 430074

修回日期:2023-03-15 出版日期:2023-06-25 发布日期:2023-06-01
作者简介:冯冠云（1998- ），男，湖北武汉人，华中科技大学硕士生，主要研究方向为网络行为分析、深度学习
付才（1976- ），男，湖北通城人，华中科技大学教授、博士生导师，主要研究方向为移动网络安全、系统与软件安全、网络行为分析
吕建强（1981- ），男，湖北黄冈人，华中科技大学博士生，主要研究方向为系统与软件安全、网络行为分析
韩兰胜（1972- ），男，山东济宁人，华中科技大学教授、博士生导师，主要研究方向为网络攻防、系统与软件安全、网络行为分析
基金资助:
国家自然科学基金(62072200);国家自然科学基金(62172176);国家重点研发计划(2022YFB3103400)

Insider threat detection based on operational attention and data augmentation

Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN

¹ Hubei Engineering Research Center on Big Data Security, Hubei Key Laboratory of Distributed System Security, Wuhan, 430074, China
² School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China

Revised:2023-03-15 Online:2023-06-25 Published:2023-06-01
Supported by:
The National Natural Science Foundation of China(62072200);The National Natural Science Foundation of China(62172176);The National Key R ＆ D Program of China(2022YFB3103400)

摘要/Abstract

摘要：

内部威胁是组织中出现重大安全隐患的主要原因之一，也是一个长期的挑战。通过分析现有的内部威胁数据, 指出内部威胁检测最大的挑战在于数据不平衡、有标注的威胁样本少。内部威胁检测的经典数据集CMU-C R4.2共有322万条日志数据，其中标记出的恶意操作日志仅7 423条；日志中的大多数操作类型与恶意行为无关，如泄露企业数据这一恶意行为仅与两种类型操作高度相关，而其余的 40 多种类型操作的日志则可能对检测造成干扰。针对这一挑战，设计了一种基于操作注意力和数据增强的数据处理框架。该框架首先对操作进行异常评估，对低异常评分的操作进行掩码操作，使模型更好地关注与恶意行为相关的操作，可以被认为是一种操作的硬注意力机制。通过分析内部威胁数据集的特点，设计了3种规则对恶意样本进行数据增强，以增加样本的多样性和缓解正负样本严重不平衡的问题。将有监督的内部威胁检测视作一个时序分类问题，在长短期记忆卷积神经网络（LSTM-FCN）模型中加入残差连接以实现多粒度的检测，并使用精确率、召回率等指标实施评估，要优于现有的基线模型；另外，在 ITD-Bert、TextCNN 等多种经典模型上实施基于操作注意力和数据增强的数据处理框架，结果表明所提方法能够有效提升内部威胁检测模型的性能。

关键词: 内部威胁检测, 硬注意力, 数据增强, 神经网络

Abstract:

In recent years, there has been an increased focus on the issue of insider threats.Insider threats are a major cause security breaches in organizations and pose an ongoing challenge.By analyzing the existing insider threat data, it was identified that the biggest challenge in insider threat detection lies in data imbalance and the limited number of labeled threat samples.In the Cert R4.2 dataset, which is a classic dataset for insider threat detection, there are over 3.22 million log data, but only 7,423 are marked as malicious operation logs.Furthermore, most of the operation types in the logs are not related to malicious behavior, and only two types of operations are highly correlated with malicious behavior, such as leaking company data, creating interference in the detection process.To address this challenge, a data processing framework was designed based on operational attention and data augmentation.Anomaly evaluation was first performed on operations by the framework, and operations with low anomaly scores were then masked.This makes the model better focus on operations related to malicious behavior, which can be considered as a hard attention mechanism for operations.Next, the characteristics of the insider threat dataset were analyzed, and three rules were designed for data augmentation on malicious samples to increase the diversity of samples and alleviate the substantial imbalance between positive and negative samples.Supervised insider threat detection was regarded as a time-series classification problem.Residual connections were added to the LSTM-FCN model to achieve multi-granularity detection, and indicators such as precision rate and recall rate were used to evaluate the model.The results indicate superior performance over existing baseline models.Moreover, the data processing framework was implemented on various classic models, such as ITD-Bert and TextCNN, and the results show that the methods effectively improve the performance of insider threat detection models.

Key words: Insider threat detection, hard attention, data augmentation, neural network

中图分类号:

TP309.2

冯冠云, 付才, 吕建强, 韩兰胜. 基于操作注意力和数据增强的内部威胁检测[J]. 网络与信息安全学报, 2023, 9(3): 102-112.

Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation[J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112.

图/表 9

图1

图2

图3

图4

图5

图6

表1

表2

图7

参考文献 40

[1]	HOMOLIAK I , TOFFALINI F , GUARNIZO J ,et al. Insight into insiders and IT:a survey of insider threat taxonomies,analysis,modeling,and countermeasures[J]. ACM Computing Surveys, 2020,52(2): 1-40.
[2]	Insider threat 2022 report[EB].
[3]	Gurucul - insider threat survey report[EB].
[4]	Insider threat report 2023[EB].
[5]	YUAN S H , WU X T . Deep learning for insider threat detection:review,challenges and opportunities[J]. Computers ＆ Security, 2021,104:102221.
[6]	LIU L , DE VEL O , HAN Q L ,et al. Detecting and preventing cyber insider threats:a survey[J]. IEEE Communications Surveys ＆ Tutorials, 2018,20(2): 1397-1417.
[7]	MONTANO I H , ARANDA J J G , DIAZ J R ,et al. Survey of techniques on data leakage protection and methods to address the insider threat[J]. Cluster Computing, 2022,25(6): 4289-4302.
[8]	XU J H , WU H X , WANG J M ,et al. Anomaly transformer:time series anomaly detection with association discrepancy[EB/OL]. 2021:arXiv:2110.02642.
[9]	Cmu-cert insider threat test dataset[EB].
[10]	TUOR A , KAPLAN S , HUTCHINSON B ,et al. Deep learning for unsupervised insider threat detection in structured cybersecurity data streams[C]// Proceeding of Workshops of the Thirty-First AAAI Conference on Artificial Intelligence. 2017.
[11]	LIU L , DE VEL O , CHEN C ,et al. Anomaly-based insider threat detection using deep autoencoders[C]// Proceedings of 2018 IEEE International Conference on Data Mining Workshops (ICDMW). 2019: 39-48.
[12]	SHARMA B , POKHAREL P , JOSHI B . User behavior analytics for anomaly detection using LSTM autoencoder-insider threat detection[C]// Proceedings of the 11th International Conference on Advances in Information Technology. 2020: 1-9.
[13]	LIU L , CHEN C , ZHANG J ,et al. Insider threat identification using the simultaneous neural learning of multi-source logs[J]. IEEE Access, 2019,7: 183162-183176.
[14]	SINGH M , MEHTRE B , SANGEETHA S . User behavior based insider threat detection using a multi fuzzy classifier[J]. Multimedia Tools and Applications, 2022,81(16): 22953-22983.
[15]	JIANG J G , CHEN J M , GU T B ,et al. Warder:online insider threat detection system using multi-feature modeling and graph-based correlation[C]// Proceedings of MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). 2020: 1-6.
[16]	LIU C C , ZHONG Y , WANG Y L . Improved detection of user malicious behavior through log mining based on IHMM[C]// Proceedings of 2018 5th International Conference on Systems and Informatics (ICSAI). 2019: 1193-1198.
[17]	LYU B , WANG D , WANG Y ,et al. A hybrid model based on multi-dimensional features for insider threat detection[C]// Proceedings of International Conference on Wireless Algorithms,Systems,and Applications. 2018: 333-344.
[18]	NASSER M , AL-MHIQANI . A new intelligent multilayer framework for insider threat detection[J]. Computers ＆ Electrical Engineering, 2022,97:107597.
[19]	GAYATHRI R G , SAJJANHAR A , XIANG Y . Image-based feature representation for insider threat classification[J]. Applied Sciences, 2020,10(14): 4945.
[20]	CHATTOPADHYAY P , WANG L P , TAN Y P . Scenario-based insider threat detection from cyber activities[J]. IEEE Transactions on Computational Social Systems, 2018,5(3): 660-675.
[21]	NASIR R , AFZAL M , LATIF R ,et al. Behavioral based insider threat detection using deep learning[J]. IEEE Access, 2021,9: 143266-143274.
[22]	MENG F Z , LOU F , FU Y S ,et al. Deep learning based attribute classification insider threat detection for data security[C]// Proceedings of 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). 2018: 576-581.
[23]	JIANG W , TIAN Y , LIU W X ,et al. An insider threat detection method based on user behavior analysis[C]// International Conference on Intelligent Information Processing. 2018: 421-429.
[24]	LI D Y , YANG L , ZHANG H G ,et al. Image-based insider threat detection via geometric transformation[J]. Security and Communication Networks, 2021: 1-18.
[25]	HUANG W Q , ZHU H , LI C ,et al. ITDBERT:temporal-semantic representation for insider threat detection[C]// Proceedings of 2021 IEEE Symposium on Computers and Communications (ISCC). 2021: 1-7.
[26]	LEGG P A , BUCKLEY O , GOLDSMITH M ,et al. Automated insider threat detection system using user and role-based profile assessment[J]. IEEE Systems Journal, 2017,11(2): 503-512.
[27]	JIANG J G , CHEN J M , GU T B ,et al. Anomaly detection with graph convolutional networks for insider threat and fraud detection[C]// Proceedings of MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). 2020: 109-114.
[28]	ABEDINIA O , AMJADY N , ZAREIPOUR H . A new feature selection technique for load and price forecast of electrical power systems[J]. IEEE Transactions on Power Systems, 2017,32(1): 62-74.
[29]	XU K , BA J L , KIROS R ,et al. Show,attend and tell:neural image caption generation with visual attention[C]// Proceedings of the 32nd International Conference on International Conference on Machine Learning. 2015: 2048-2057.
[30]	JADERBERG M , SIMONYAN K , ZISSERMAN A ,et al. Spatial transformer networks[J]. arXiv Preprint arXiv:1506.02025, 2015.
[31]	CHENG X , LI X , YANG J ,et al. SESR:single image super resolution with recursive squeeze and excitation networks[C]// Proceedings of 2018 24th International Conference on Pattern Recognition (ICPR). 2018: 147-152.
[32]	DOSOVITSKIY A , BEYER L , KOLESNIKOV A ,et al. An image is worth 16x16 words:transformers for image recognition at scale[K]. arXiv Preprint arXiv:2010.11929, 2020.
[33]	LIU Z , LIN Y T , CAO Y ,et al. Swin transformer:hierarchical vision transformer using shifted windows[C]// Proceedings of 2021 IEEE/CVF International Conference on Computer Vision (ICCV). 2022: 9992-10002.
[34]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 6000-6010.
[35]	SUN F , LIU J , WU J ,et al. BERT4Rec:sequential recommendation with bidirectional encoder representations from transformer[C]// Proceedings of the 28th ACM International Conference on Information and Knowledge Management. 2019: 1441-1450.
[36]	MNIH V , HEESS N , GRAVES A ,et al. Recurrent models of visual attention[J]. arXiv Preprint arXiv:1406.6247, 2014.
[37]	ZHAO B , WU X , FENG J S ,et al. Diversified visual attention networks for fine-grained object classification[J]. IEEE Transactions on Multimedia, 2017,19(6): 1245-1256.
[38]	STOLLENGA M F , MASCI J , GOMEZ F ,et al. Deep networks with internal selective attention through feedback connections[C]// Proceedings of the 27th International Conference on Neural Information Processing Systems. 2014: 3545-3553.
[39]	ELSAYED G F , KORNBLITH S , LE Q V . Saccader:improving accuracy of hard attention models for vision[J]. arXiv Preprint arXiv:1908.07644, 2019.
[40]	ANDERSON P , HE X D , BUEHLER C ,et al. Bottom-up and top-down attention for image captioning and visual question answering[C]// Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018: 6077-6086.

模型	召回率	精确率	F1值
LSTM-FCN模型	84.23%	91.44%	87.68%
LSTM-FCN模型+数据增强	86.20%	92.59%	89.28%
LSTM-FCN模型+硬注意力	94.58%	90.99%	92.75%
LSTM-FCN模型+混合方法	94.08%	92.71%	93.39%

模型	召回率	精确率	F1值
标准LSTM-FCN	91.04%	94.25%	92.62%
添加第3层残差	95.51%	90.59%	92.98%
添加第4层残差	94.43%	91.90%	93.14%
添加第3、4层残差	94.08%	92.71%	93.39%

基于操作注意力和数据增强的内部威胁检测

Insider threat detection based on operational attention and data augmentation

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 40

相关文章 15

Metrics

推荐阅读 0

[1]	陈立全, 朱宇航, 王宇, 秦中元, 马旸. 基于混沌神经网络和C-MD结构的带密钥哈希函数[J]. 网络与信息安全学报, 2023, 9(3): 1-15.
[2]	蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32.
[3]	侯泽洲, 任炯炯, 陈少真. 基于神经网络区分器的SIMON-like算法参数安全性评估[J]. 网络与信息安全学报, 2023, 9(2): 154-163.
[4]	谢绒娜, 马铸鸿, 李宗俞, 田野. 基于卷积神经网络的加密流量分类方法[J]. 网络与信息安全学报, 2022, 8(6): 84-91.
[5]	单棣斌, 杜学绘, 王文娟, 刘敖迪, 王娜. 基于GNN双源学习的访问控制关系预测方法[J]. 网络与信息安全学报, 2022, 8(5): 40-55.
[6]	陈浩, 王锋, 张卫明, 俞能海. 载体独立的深度光照水印算法[J]. 网络与信息安全学报, 2022, 8(4): 110-118.
[7]	林点, 潘理, 易平. 面向图像识别的卷积神经网络鲁棒性研究进展[J]. 网络与信息安全学报, 2022, 8(3): 111-122.
[8]	王馨雅, 华光, 江昊, 张海剑. 深度学习模型的版权保护研究综述[J]. 网络与信息安全学报, 2022, 8(2): 1-14.
[9]	乔通, 姚宏伟, 潘彬民, 徐明, 陈艳利. 基于深度学习的数字图像取证技术研究进展[J]. 网络与信息安全学报, 2021, 7(5): 13-28.
[10]	王正龙, 张保稳. 生成对抗网络研究综述[J]. 网络与信息安全学报, 2021, 7(4): 68-85.
[11]	李炳龙, 佟金龙, 张宇, 孙怡峰, 王清贤, 常朝稳. 基于TensorFlow的恶意代码片段自动取证检测算法[J]. 网络与信息安全学报, 2021, 7(4): 154-163.
[12]	陈晋音, 张敦杰, 黄国瀚, 林翔, 鲍亮. 面向图神经网络的对抗攻击与防御综述[J]. 网络与信息安全学报, 2021, 7(3): 1-28.
[13]	李沛杰, 张丽, 夏云飞, 许立明. 基于软件定义的可重构卷积神经网络架构设计[J]. 网络与信息安全学报, 2021, 7(3): 29-36.
[14]	陈皓, 易平. 基于图神经网络的代码漏洞检测方法[J]. 网络与信息安全学报, 2021, 7(3): 37-45.
[15]	谭清尹, 曾颖明, 韩叶, 刘一静, 刘哲理. 神经网络后门攻击研究[J]. 网络与信息安全学报, 2021, 7(3): 46-58.