CN108388969A - Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect - Google Patents
Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect Download PDFInfo
- Publication number
- CN108388969A CN108388969A CN201810233655.1A CN201810233655A CN108388969A CN 108388969 A CN108388969 A CN 108388969A CN 201810233655 A CN201810233655 A CN 201810233655A CN 108388969 A CN108388969 A CN 108388969A
- Authority
- CN
- China
- Prior art keywords
- personage
- inside threat
- threat
- risk
- lstm
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/04—Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/044—Recurrent networks, e.g. Hopfield networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/04—Architecture, e.g. interconnection topology
- G06N3/045—Combinations of networks
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06N—COMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
- G06N3/00—Computing arrangements based on biological models
- G06N3/02—Neural networks
- G06N3/08—Learning methods
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Abstract
The present invention relates to inside threat personage's Risk Forecast Methods based on temporal aspect, belong to computer and information science technical field.The present invention is pre-processed first to the accumulated history behavioural information of personage and feature extraction, includes quantization sampling, preemphasis and the adding window to people information, and will be extracted as corresponding numerical characteristic from multiple field heterogeneous character data;Then inside threat personage's prediction model compound training is carried out, inside threat personage's risk forecast model based on LSTM is built;Inside threat personage's risk forecast model based on LSTM is finally used to carry out risk profile assessment and early warning.The present invention has higher accuracy rate compared to other common methods, provides a kind of foundation of quantization inside threat for enterprise, provides a kind of inside threat personage's modes of warning of layering.
Description
Technical field
The present invention relates to inside threat personage's Risk Forecast Method based on personal behavior temporal aspect, belong to computer with
Information science technology field.
Background technology
In tissue or enterprises, generally require to monitor inside threat personage in real time and behavior prediction.By filling
Divide the accumulated history behavioural information using personage to predict personage's behavior, and inside threat assessment is carried out to personage, to dangerous people
Object carries out early warning.Therefore, the present invention comes a kind of inside threat personage Risk Forecast Method is provided to enterprise or organization internal
Personage carries out risk assessment and early warning.
Inside threat personage's Risk Forecast Method needs the basic problem that solves to be:The historical behavior letter added up by personage
It ceases to predict personage's behavior, detects the improper behavior of personage, and prediction result is quantified, formulate inside threat grade and draw
Minute mark is accurate, and carries out inside threat assessment to personage, carries out early warning to the personage that assessment result is high-risk and middle danger, reduces tissue
Or the Information Security Risk of enterprise.It can be classified as two classes usually using method:
1. inside threat personage's prediction technique based on figure digging technology
Inside threat character data, is considered as by inside threat personage prediction technique-GBAD based on figure digging technology for the first time
Unlimited data flow, and propose that data flow can be separated into a series of discontinuous pieces, such as each block can include one
The data in week mainly consider three kinds of graphic operations, are the modification, insertion and deletion of figure respectively.Although this method is equally based on
Sequence characteristics, but GBAD is that inlet flow is divided into different blocks, each block is a subgraph, and what is considered is several before
Conditional probability of the information of block to current block.And if as a block, it will cause model instructions by daily behavioural characteristic by GBAD
Practice slowly, it is ineffective.In addition, GBAD can not consider all historical informations.Therefore the universality of GBAD is poor, and prediction is accurate
True rate is relatively low.
2. being based on Hidden Markov Model (HMM) and inside threat personality resource's abuse prediction technique
Based on Hidden Markov Model (HMM) and inside threat personality resource's abuse prediction technique be one kind with information
State of the file of system as model can improve life using the transaction operation of inside threat personage as observation symbol
Middle rate reduces rate of false alarm.And the state of personage is indicated using Malcov models, and united using the transition probability matrix of Malcov
Transfer number of the personage between different conditions is counted, predicts the abnormal variation of personage on this basis.But Malcov models and
HMM is not particularly suited for inside threat scene.Malcov assumes to illustrate that current state is only related with preceding state, and before
State is unrelated.Therefore it does not make full use of historical information, can theoretically be solved certainly using high-order Malcov such
Problem, but the problem of bringing is then the loss of calculation amount and performance.
In conclusion existing inside threat personage Risk Forecast Method is difficult to adequately utilize historical information, it can not be more
Risk assessment accurately is carried out to inside threat personage, so the present invention proposes the inside threat based on personal behavior temporal aspect
Personage's Risk Forecast Method.
Invention content
The purpose of the present invention is obtaining a kind of foundation of quantization inside threat, a kind of inside threat personage of layering is provided
Early-warning Model improves the comprehensive performance of inside threat personage's risk forecast model.
The present invention design principle be:The accumulated history behavioural information of personage is pre-processed first and feature extraction,
Include quantization sampling, preemphasis and the adding window to people information, and will be extracted as accordingly from multiple field heterogeneous character data
Numerical characteristic;Then inside threat personage's prediction model compound training is carried out, structure is based on personal behavior temporal aspect and LSTM
The inside threat personage's risk forecast model being combined;It finally uses based on personal behavior temporal aspect in LSTM is combined
Portion threatens personage's risk forecast model to carry out risk profile assessment.
The technical scheme is that be achieved by the steps of:
Step 1, pretreatment and feature extraction are carried out to people information.
Step 1.1, to people information quantization, sampling, preemphasis and adding window.
Step 1.2,3 kinds of features are extracted from data source:The attributive character of personage, " counting " feature of personage, personage
Psychological characteristics.
Step 1.3, further feature extraction and quantization then are carried out to the feature extracted, obtains more fine granularity behavior
Feature.
Step 2, inside threat risk forecast model compound training.
Step 2.1, LSTM models are trained using 80% people information characteristic.
Step 2.2, the training data based on people information builds inside threat personage's risk profile archetype.
Step 3, LSTM model risks forecast assessment.
Step 3.1, inside threat personage's risk is carried out on test set using the method based on personal behavior temporal aspect
Prediction.
Step 3.2, according to risk profile as a result, being divided according to personage's threat level, to personage's progress inside threat risk
Assessment carries out early warning to the personage that assessment result is high-risk and middle danger.
Advantageous effect
Compared to inside threat personage's prediction technique based on figure digging technology, the present invention can be with day for a time point
It is handled, historical information all before being utilized LSTM, therefore its effect is more preferable.
Compared to based on Hidden Markov Model (HMM) and inside threat personality resource's abuse prediction technique, this hair
It is bright to be more suitable for inside threat scene, more abundant, the loss smaller of calculation amount and performance is utilized to historical information, is had good
Universality.
Description of the drawings
Fig. 1 is inside threat personage's risk profile principle framework figure.
Fig. 2 is LSTM and other methods accuracy rate, recall rate and F value comparison diagrams in test experiments.
Specific implementation mode
In order to better illustrate objects and advantages of the present invention, the embodiment of the method for the present invention is done with reference to example
It is further described.
Detailed process is:
Step 1, pretreatment and feature extraction are carried out to people information.
Step 1.1, audio data quantified first, sampled;Then by character data vacancy value, exceptional value into
Row is screened, and is rejected to exceptional value, and completion is carried out to vacancy value.
Step 1.2,3 kinds of features are extracted from CERT-IT (v6.2) data source:The attributive character of personage, the psychology of personage
Feature, " counting " feature of personage.
Step 1.3, further feature extraction and quantization are carried out to the feature extracted, it is special obtains more fine granularity behavior
Sign.Data set after treatment is 521 days character datas, and eliminates the data at weekend, because the data at weekend may
Workaday Behavior law is not met.
Step 2, inside threat risk forecast model compound training.
Step 2.1, it was used as training set by the 1st day to the 417th day, for training LSTM models, by the 418th day to the 521st
It is as test set.During training LSTM, the quantity (from 1 to 6) of its hidden layer is adjusted, the nerve of its hidden layer is adjusted
First quantity (from 20-500), adjusts its time step (from 3 to 40), sets the batch of each sample input as 260, learning rate
It is set as 0.01, selection mean square error is loss function, and optimization method is using ADAM (a kind of mutation that gradient declines).
Step 2.2, when obtaining the output h of t-1 moment hidden layerst-1, it is inside threat personage's to define personage in t moment
Score Tt=-1000logPθ(xt|ht-1).θ is the output of model, and meaning is the observation vector x of subsequent time personage's behaviort
Conditional probability distribution.xtIt is the observation vector of t moment personage's behavioural characteristic, ht-1It is the output vector of t-1 moment hidden layers,
Personage's behavior historical information before t-1 lies in ht-1In.Therefore, according to ht-1With observation vector xtConditional probability Pθ(xt|
ht-1) it there has been specific meaning.TtIt is smaller, illustrate that personage's behavior is not abnormal variation, then it is assumed that internal prestige occurs for personage
The probability of the side of body is low.TtIt is bigger, illustrate that personage's behavior is abnormal variation and does not meet personage's normal behaviour trend, then it is assumed that Ren Wufa
The probability of raw inside threat is high.
Step 3, LSTM model risks forecast assessment.
Step 3.1, the conditional probability P in risk prediction modelθ(xt|ht-1)Pθ(Y)(Vt|ht-1) can be expressed as
Wherein,θ (V), θ (Y) are then the output of LSTM hidden layers,The calculation formula of θ (V), θ (Y) are as follows:
θ (V)=o (V)t⊙tanh(c(V)t)
θ (Y)=o (Y)t⊙tanh(c(Y)t)
Wherein trained parameter is weight matrix W and bigoted matrix b, the two parameters are shared to all persons.It is logical
It crosses LSTM and obtains conditional probability distribution, then can carry out the calculating of conditional probability, its hair can be calculated by conditional probability distribution
Raw conditional probability finally obtains inside threat risk profile probability, and is translated into inside threat personage scoring.
Step 3.2, personage's threat level can be carried out according to inside threat personage's risk profile result and threat scoring to draw
Point.And according to division result, inside threat risk assessment is carried out to personage, the personage that assessment result is high-risk and middle danger is carried out
Early warning.
Test result:Experiment is using the inside threat personage risk forecast model based on personal behavior temporal aspect to processing
Test set afterwards is predicted, and is compared with other several common methods, the results showed that the present invention compares other models
Effect is more preferable, accuracy rate 89.65%, recall rate 90.75%, and F values are 90.20%, can carry out risk profile to personage.
Effect is shown in Fig. 2, provides a kind of foundation of quantization inside threat for enterprise, provides a kind of inside threat personage's early warning of layering
Pattern.
Above-described specific descriptions have carried out further specifically the purpose, technical solution and advantageous effect of invention
It is bright, it should be understood that the above is only a specific embodiment of the present invention, the protection model being not intended to limit the present invention
It encloses, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should be included in the present invention
Protection domain within.
Claims (3)
1. inside threat personage's Risk Forecast Method based on personal behavior temporal aspect, it is characterised in that the method includes such as
Lower step:
Step 1, pretreatment and feature extraction are carried out to people information, including:Abnormal data is rejected, to AFR control into
Row completion, character numerical value is standardized, then from 3 kinds of features of extracting data:The attributive character of personage, personage
Psychological characteristics, " counting " feature of personage, finally carry out fine-grained feature extraction and merge to obtain feature vector again;
Step 2, inside threat risk forecast model is built using LSTM algorithms, the characteristic of personage is trained, finally
It obtains inside threat risk profile probability, and is translated into inside threat personage scoring;
Step 3, personage's threat level division can be carried out according to inside threat personage's risk profile result and threat scoring, according to
Personage's threat level criteria for classifying carries out inside threat assessment to personage, is carried out to the personage that assessment result is high-risk and middle danger
Early warning.
2. inside threat personage's Risk Forecast Method according to claim 1 based on personal behavior temporal aspect, special
Sign is:The scoring formula of inside threat risk forecast model based on LSTM algorithms structure in step 2 is Tt=-1000logPθ
(xt|ht-1), θ is the output of model, and meaning is the observation vector x of subsequent time personage's behaviortConditional probability distribution, xtIt is
The observation vector of t moment personage's behavioural characteristic, ht-1It is the output vector of t-1 moment hidden layers, personage's behavior before t-1 is gone through
History embodying information is in ht-1In.
3. inside threat personage's Risk Forecast Method according to claim 1 based on personal behavior temporal aspect, special
Sign is:Conditional probability P in step 2θ(xt|ht-1) calculation formula it is as follows:
Andθ (V), θ (Y) are then the output of LSTM hidden layers,The calculation formula of θ (V), θ (Y) are as follows:
θ (V)=o (V)t⊙tanth(c(V)t)
θ (Y)=o (Y)t⊙tanth(c(Y)t)
Wherein trained parameter is weight matrix W and bigoted matrix b;Conditional probability distribution is obtained by LSTM risk evaluation models
The conditional probability for calculating its generation, finally obtains inside threat risk profile probability, and be translated into inside threat personage and comment
Point.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810233655.1A CN108388969A (en) | 2018-03-21 | 2018-03-21 | Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201810233655.1A CN108388969A (en) | 2018-03-21 | 2018-03-21 | Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect |
Publications (1)
Publication Number | Publication Date |
---|---|
CN108388969A true CN108388969A (en) | 2018-08-10 |
Family
ID=63068254
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201810233655.1A Pending CN108388969A (en) | 2018-03-21 | 2018-03-21 | Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108388969A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109829382A (en) * | 2018-12-30 | 2019-05-31 | 北京宇琪云联科技发展有限公司 | The abnormal object early warning tracing system and method for Behavior-based control feature intelligent analysis |
CN110096499A (en) * | 2019-04-10 | 2019-08-06 | 华南理工大学 | A kind of the user object recognition methods and system of Behavior-based control time series big data |
CN110138763A (en) * | 2019-05-09 | 2019-08-16 | 中国科学院信息工程研究所 | A kind of inside threat detection system and method based on dynamic web browsing behavior |
CN110442908A (en) * | 2019-07-02 | 2019-11-12 | 合肥工业大学 | For assessing the method, system and storage medium of aircraft track risk |
CN110704469A (en) * | 2019-10-22 | 2020-01-17 | 北京明略软件系统有限公司 | Updating method and updating device of early warning level and readable storage medium |
CN110909348A (en) * | 2019-09-26 | 2020-03-24 | 中国科学院信息工程研究所 | Internal threat detection method and device |
CN111292832A (en) * | 2020-01-22 | 2020-06-16 | 浙江连信科技有限公司 | Intelligent terminal based psychological crisis personnel active prediction method and device |
CN111967011A (en) * | 2020-07-10 | 2020-11-20 | 电子科技大学 | Interpretable internal threat assessment method |
CN112329974A (en) * | 2020-09-03 | 2021-02-05 | 中国人民公安大学 | LSTM-RNN-based civil aviation security event behavior subject identification and prediction method and system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2137620A4 (en) * | 2007-04-24 | 2011-03-30 | Mitre Corp | Insider threat detection |
CN105516127A (en) * | 2015-12-07 | 2016-04-20 | 中国科学院信息工程研究所 | Internal threat detection-oriented user cross-domain behavior pattern mining method |
CN107121679A (en) * | 2017-06-08 | 2017-09-01 | 湖南师范大学 | Recognition with Recurrent Neural Network predicted method and memory unit structure for Radar Echo Extrapolation |
-
2018
- 2018-03-21 CN CN201810233655.1A patent/CN108388969A/en active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2137620A4 (en) * | 2007-04-24 | 2011-03-30 | Mitre Corp | Insider threat detection |
CN105516127A (en) * | 2015-12-07 | 2016-04-20 | 中国科学院信息工程研究所 | Internal threat detection-oriented user cross-domain behavior pattern mining method |
CN107121679A (en) * | 2017-06-08 | 2017-09-01 | 湖南师范大学 | Recognition with Recurrent Neural Network predicted method and memory unit structure for Radar Echo Extrapolation |
Non-Patent Citations (2)
Title |
---|
AARON TUOR等: "Deep Learning for Unsupervised Insider Threat Detection", 《GOOGLE》 * |
SANTOSH ADITHAM等: "LSTM-based Memory Profiling for Predicting Data Attacks in Distributed Big Data Systems", 《2017年IEEE国际并行和分布式处理研讨会》 * |
Cited By (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109829382A (en) * | 2018-12-30 | 2019-05-31 | 北京宇琪云联科技发展有限公司 | The abnormal object early warning tracing system and method for Behavior-based control feature intelligent analysis |
CN110096499A (en) * | 2019-04-10 | 2019-08-06 | 华南理工大学 | A kind of the user object recognition methods and system of Behavior-based control time series big data |
CN110138763A (en) * | 2019-05-09 | 2019-08-16 | 中国科学院信息工程研究所 | A kind of inside threat detection system and method based on dynamic web browsing behavior |
CN110138763B (en) * | 2019-05-09 | 2020-12-11 | 中国科学院信息工程研究所 | Internal threat detection system and method based on dynamic web browsing behavior |
CN110442908A (en) * | 2019-07-02 | 2019-11-12 | 合肥工业大学 | For assessing the method, system and storage medium of aircraft track risk |
CN110442908B (en) * | 2019-07-02 | 2022-09-27 | 合肥工业大学 | Method, system and storage medium for assessing risk of trajectory of aircraft |
CN110909348B (en) * | 2019-09-26 | 2022-06-10 | 中国科学院信息工程研究所 | Internal threat detection method and device |
CN110909348A (en) * | 2019-09-26 | 2020-03-24 | 中国科学院信息工程研究所 | Internal threat detection method and device |
CN110704469A (en) * | 2019-10-22 | 2020-01-17 | 北京明略软件系统有限公司 | Updating method and updating device of early warning level and readable storage medium |
CN110704469B (en) * | 2019-10-22 | 2022-11-11 | 北京明智和术科技有限公司 | Updating method and updating device of early warning level and readable storage medium |
CN111292832A (en) * | 2020-01-22 | 2020-06-16 | 浙江连信科技有限公司 | Intelligent terminal based psychological crisis personnel active prediction method and device |
CN111967011A (en) * | 2020-07-10 | 2020-11-20 | 电子科技大学 | Interpretable internal threat assessment method |
CN112329974A (en) * | 2020-09-03 | 2021-02-05 | 中国人民公安大学 | LSTM-RNN-based civil aviation security event behavior subject identification and prediction method and system |
CN112329974B (en) * | 2020-09-03 | 2024-02-27 | 中国人民公安大学 | LSTM-RNN-based civil aviation security event behavior subject identification and prediction method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108388969A (en) | Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect | |
Lin et al. | Using machine learning to assist crime prevention | |
CN104216954B (en) | The prediction meanss and Forecasting Methodology of accident topic state | |
CN104794192B (en) | Multistage method for detecting abnormality based on exponential smoothing, integrated study model | |
CN110188192B (en) | Multi-task network construction and multi-scale criminal name law enforcement combined prediction method | |
CN108831153A (en) | A kind of traffic flow forecasting method and device using spatial and temporal distributions characteristic | |
CN109726246A (en) | One kind being associated with reason retrogressive method with visual power grid accident based on data mining | |
CN109034194A (en) | Transaction swindling behavior depth detection method based on feature differentiation | |
CN106254317A (en) | A kind of data security exception monitoring system | |
CN115081918B (en) | Rail transit risk point prediction method and system based on data driving | |
CN112101520A (en) | Risk assessment model training method, business risk assessment method and other equipment | |
CN104050361A (en) | Intelligent analysis early warning method for dangerousness tendency of prison persons serving sentences | |
CN110290120A (en) | A kind of timing evolved network safe early warning method of cloud platform | |
CN113689958A (en) | Big data-based chronic disease condition prediction method and system and storage medium | |
CN110009224A (en) | Suspect's violation probability prediction technique, device, computer equipment and storage medium | |
CN106649050A (en) | Multi-parameter running situation graphic representation method for time sequential system | |
CN106952190A (en) | False source of houses typing Activity recognition and early warning system | |
CN113626606B (en) | Information classification method, device, electronic equipment and readable storage medium | |
CN112084240B (en) | Intelligent identification and linkage treatment method and system for group renting | |
CN112491891B (en) | Network attack detection method based on hybrid deep learning in Internet of things environment | |
CN112488719A (en) | Account risk identification method and device | |
CN104156963B (en) | Automatic authenticating method of electrical fire hazard melted mark physical evidence | |
CN114519524A (en) | Enterprise risk early warning method and device based on knowledge graph and storage medium | |
CN106681980B (en) | A kind of refuse messages analysis method and device | |
WO2021168617A1 (en) | Processing method and apparatus for service risk management, electronic device, and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20180810 |
|
WD01 | Invention patent application deemed withdrawn after publication |