基于操作注意力和数据增强的内部威胁检测

doi:10.11959/j.issn.2096-109x.2023042

Abstract

Abstract:

In recent years, there has been an increased focus on the issue of insider threats.Insider threats are a major cause security breaches in organizations and pose an ongoing challenge.By analyzing the existing insider threat data, it was identified that the biggest challenge in insider threat detection lies in data imbalance and the limited number of labeled threat samples.In the Cert R4.2 dataset, which is a classic dataset for insider threat detection, there are over 3.22 million log data, but only 7,423 are marked as malicious operation logs.Furthermore, most of the operation types in the logs are not related to malicious behavior, and only two types of operations are highly correlated with malicious behavior, such as leaking company data, creating interference in the detection process.To address this challenge, a data processing framework was designed based on operational attention and data augmentation.Anomaly evaluation was first performed on operations by the framework, and operations with low anomaly scores were then masked.This makes the model better focus on operations related to malicious behavior, which can be considered as a hard attention mechanism for operations.Next, the characteristics of the insider threat dataset were analyzed, and three rules were designed for data augmentation on malicious samples to increase the diversity of samples and alleviate the substantial imbalance between positive and negative samples.Supervised insider threat detection was regarded as a time-series classification problem.Residual connections were added to the LSTM-FCN model to achieve multi-granularity detection, and indicators such as precision rate and recall rate were used to evaluate the model.The results indicate superior performance over existing baseline models.Moreover, the data processing framework was implemented on various classic models, such as ITD-Bert and TextCNN, and the results show that the methods effectively improve the performance of insider threat detection models.

Key words: Insider threat detection, hard attention, data augmentation, neural network

CLC Number:

TP309.2

Guanyun FENG, Cai FU, Jianqiang LYU, Lansheng HAN. Insider threat detection based on operational attention and data augmentation[J]. Chinese Journal of Network and Information Security, 2023, 9(3): 102-112.

Figures/Tables 9

References 40

[1]	HOMOLIAK I , TOFFALINI F , GUARNIZO J ,et al. Insight into insiders and IT:a survey of insider threat taxonomies,analysis,modeling,and countermeasures[J]. ACM Computing Surveys, 2020,52(2): 1-40.
[2]	Insider threat 2022 report[EB].
[3]	Gurucul - insider threat survey report[EB].
[4]	Insider threat report 2023[EB].
[5]	YUAN S H , WU X T . Deep learning for insider threat detection:review,challenges and opportunities[J]. Computers ＆ Security, 2021,104:102221.
[6]	LIU L , DE VEL O , HAN Q L ,et al. Detecting and preventing cyber insider threats:a survey[J]. IEEE Communications Surveys ＆ Tutorials, 2018,20(2): 1397-1417.
[7]	MONTANO I H , ARANDA J J G , DIAZ J R ,et al. Survey of techniques on data leakage protection and methods to address the insider threat[J]. Cluster Computing, 2022,25(6): 4289-4302.
[8]	XU J H , WU H X , WANG J M ,et al. Anomaly transformer:time series anomaly detection with association discrepancy[EB/OL]. 2021:arXiv:2110.02642.
[9]	Cmu-cert insider threat test dataset[EB].
[10]	TUOR A , KAPLAN S , HUTCHINSON B ,et al. Deep learning for unsupervised insider threat detection in structured cybersecurity data streams[C]// Proceeding of Workshops of the Thirty-First AAAI Conference on Artificial Intelligence. 2017.
[11]	LIU L , DE VEL O , CHEN C ,et al. Anomaly-based insider threat detection using deep autoencoders[C]// Proceedings of 2018 IEEE International Conference on Data Mining Workshops (ICDMW). 2019: 39-48.
[12]	SHARMA B , POKHAREL P , JOSHI B . User behavior analytics for anomaly detection using LSTM autoencoder-insider threat detection[C]// Proceedings of the 11th International Conference on Advances in Information Technology. 2020: 1-9.
[13]	LIU L , CHEN C , ZHANG J ,et al. Insider threat identification using the simultaneous neural learning of multi-source logs[J]. IEEE Access, 2019,7: 183162-183176.
[14]	SINGH M , MEHTRE B , SANGEETHA S . User behavior based insider threat detection using a multi fuzzy classifier[J]. Multimedia Tools and Applications, 2022,81(16): 22953-22983.
[15]	JIANG J G , CHEN J M , GU T B ,et al. Warder:online insider threat detection system using multi-feature modeling and graph-based correlation[C]// Proceedings of MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). 2020: 1-6.
[16]	LIU C C , ZHONG Y , WANG Y L . Improved detection of user malicious behavior through log mining based on IHMM[C]// Proceedings of 2018 5th International Conference on Systems and Informatics (ICSAI). 2019: 1193-1198.
[17]	LYU B , WANG D , WANG Y ,et al. A hybrid model based on multi-dimensional features for insider threat detection[C]// Proceedings of International Conference on Wireless Algorithms,Systems,and Applications. 2018: 333-344.
[18]	NASSER M , AL-MHIQANI . A new intelligent multilayer framework for insider threat detection[J]. Computers ＆ Electrical Engineering, 2022,97:107597.
[19]	GAYATHRI R G , SAJJANHAR A , XIANG Y . Image-based feature representation for insider threat classification[J]. Applied Sciences, 2020,10(14): 4945.
[20]	CHATTOPADHYAY P , WANG L P , TAN Y P . Scenario-based insider threat detection from cyber activities[J]. IEEE Transactions on Computational Social Systems, 2018,5(3): 660-675.
[21]	NASIR R , AFZAL M , LATIF R ,et al. Behavioral based insider threat detection using deep learning[J]. IEEE Access, 2021,9: 143266-143274.
[22]	MENG F Z , LOU F , FU Y S ,et al. Deep learning based attribute classification insider threat detection for data security[C]// Proceedings of 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC). 2018: 576-581.
[23]	JIANG W , TIAN Y , LIU W X ,et al. An insider threat detection method based on user behavior analysis[C]// International Conference on Intelligent Information Processing. 2018: 421-429.
[24]	LI D Y , YANG L , ZHANG H G ,et al. Image-based insider threat detection via geometric transformation[J]. Security and Communication Networks, 2021: 1-18.
[25]	HUANG W Q , ZHU H , LI C ,et al. ITDBERT:temporal-semantic representation for insider threat detection[C]// Proceedings of 2021 IEEE Symposium on Computers and Communications (ISCC). 2021: 1-7.
[26]	LEGG P A , BUCKLEY O , GOLDSMITH M ,et al. Automated insider threat detection system using user and role-based profile assessment[J]. IEEE Systems Journal, 2017,11(2): 503-512.
[27]	JIANG J G , CHEN J M , GU T B ,et al. Anomaly detection with graph convolutional networks for insider threat and fraud detection[C]// Proceedings of MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM). 2020: 109-114.
[28]	ABEDINIA O , AMJADY N , ZAREIPOUR H . A new feature selection technique for load and price forecast of electrical power systems[J]. IEEE Transactions on Power Systems, 2017,32(1): 62-74.
[29]	XU K , BA J L , KIROS R ,et al. Show,attend and tell:neural image caption generation with visual attention[C]// Proceedings of the 32nd International Conference on International Conference on Machine Learning. 2015: 2048-2057.
[30]	JADERBERG M , SIMONYAN K , ZISSERMAN A ,et al. Spatial transformer networks[J]. arXiv Preprint arXiv:1506.02025, 2015.
[31]	CHENG X , LI X , YANG J ,et al. SESR:single image super resolution with recursive squeeze and excitation networks[C]// Proceedings of 2018 24th International Conference on Pattern Recognition (ICPR). 2018: 147-152.
[32]	DOSOVITSKIY A , BEYER L , KOLESNIKOV A ,et al. An image is worth 16x16 words:transformers for image recognition at scale[K]. arXiv Preprint arXiv:2010.11929, 2020.
[33]	LIU Z , LIN Y T , CAO Y ,et al. Swin transformer:hierarchical vision transformer using shifted windows[C]// Proceedings of 2021 IEEE/CVF International Conference on Computer Vision (ICCV). 2022: 9992-10002.
[34]	VASWANI A , SHAZEER N , PARMAR N ,et al. Attention is all you need[C]// Proceedings of the 31st International Conference on Neural Information Processing Systems. 2017: 6000-6010.
[35]	SUN F , LIU J , WU J ,et al. BERT4Rec:sequential recommendation with bidirectional encoder representations from transformer[C]// Proceedings of the 28th ACM International Conference on Information and Knowledge Management. 2019: 1441-1450.
[36]	MNIH V , HEESS N , GRAVES A ,et al. Recurrent models of visual attention[J]. arXiv Preprint arXiv:1406.6247, 2014.
[37]	ZHAO B , WU X , FENG J S ,et al. Diversified visual attention networks for fine-grained object classification[J]. IEEE Transactions on Multimedia, 2017,19(6): 1245-1256.
[38]	STOLLENGA M F , MASCI J , GOMEZ F ,et al. Deep networks with internal selective attention through feedback connections[C]// Proceedings of the 27th International Conference on Neural Information Processing Systems. 2014: 3545-3553.
[39]	ELSAYED G F , KORNBLITH S , LE Q V . Saccader:improving accuracy of hard attention models for vision[J]. arXiv Preprint arXiv:1908.07644, 2019.
[40]	ANDERSON P , HE X D , BUEHLER C ,et al. Bottom-up and top-down attention for image captioning and visual question answering[C]// Proceedings of 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2018: 6077-6086.

Metrics

Recommended 0

No Suggested Reading articles found!

模型	召回率	精确率	F1值
LSTM-FCN模型	84.23%	91.44%	87.68%
LSTM-FCN模型+数据增强	86.20%	92.59%	89.28%
LSTM-FCN模型+硬注意力	94.58%	90.99%	92.75%
LSTM-FCN模型+混合方法	94.08%	92.71%	93.39%

模型	召回率	精确率	F1值
标准LSTM-FCN	91.04%	94.25%	92.62%
添加第3层残差	95.51%	90.59%	92.98%
添加第4层残差	94.43%	91.90%	93.14%
添加第3、4层残差	94.08%	92.71%	93.39%

Insider threat detection based on operational attention and data augmentation

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 40

Related Articles 15

Metrics

Recommended 0

[1]	Liquan CHEN, Yuhang ZHU, Yu WANG, Zhongyuan QIN, Yang MA. New hash function based on C-MD structure and chaotic neural network [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 1-15.
[2]	Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32.
[3]	Zezhou HOU, Jiongjiong REN, Shaozhen CHEN. Security evaluation for parameters of SIMON-like cipher based on neural network distinguisher [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 154-163.
[4]	Rongna XIE, Zhuhong MA, Zongyu LI, Ye TIAN. Encrypted traffic classification method based on convolutional neural network [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 84-91.
[5]	Dibin SHAN, Xuehui DU, Wenjuan WANG, Aodi LIU, Na WANG. Access control relationship prediction method based on GNN dual source learning [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 40-55.
[6]	Hao CHEN, Feng WANG, Weiming ZHANG, Nenghai YU. Carrier-independent deep optical watermarking algorithm [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 110-118.
[7]	Dian LIN, Li PAN, Ping YI. Research on the robustness of convolutional neural networks in image recognition [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 111-122.
[8]	Xinya WANG, Guang HUA, Hao JIANG, Haijian ZHANG. Survey on intellectual property protection for deep learning model [J]. Chinese Journal of Network and Information Security, 2022, 8(2): 1-14.
[9]	Tong QIAO, Hongwei YAO, Binmin PAN, Ming XU, Yanli CHEN. Research progress of digital image forensic techniques based on deep learning [J]. Chinese Journal of Network and Information Security, 2021, 7(5): 13-28.
[10]	Zhenglong WANG, Baowen ZHANG. Survey of generative adversarial network [J]. Chinese Journal of Network and Information Security, 2021, 7(4): 68-85.
[11]	Jinyin CHEN, Dunjie ZHANG, Guohan HUANG, Xiang LIN, Liang BAO. Adversarial attack and defense on graph neural networks: a survey [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 1-28.
[12]	Peijie LI, Li ZHANG, Yunfei XIA, Liming XU. Architecture design of re-configurable convolutional neural network on software definition [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 29-36.
[13]	Hao CHEN, Ping YI. Code vulnerability detection method based on graph neural network [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 37-45.
[14]	Qingyin TAN, Yingming ZENG, Ye HAN, Yijing LIU, Zheli LIU. Survey on backdoor attacks targeted on neural network [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 46-58.
[15]	Xin ZHANG,Weizhong QIANG,Yueming WU,Deqing ZOU,Hai JIN. Mining behavior pattern of mobile malware with convolutional neural network [J]. Chinese Journal of Network and Information Security, 2020, 6(6): 35-44.