CN108388969A - Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect - Google Patents

Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect Download PDF

Info

Publication number
CN108388969A
CN108388969A CN201810233655.1A CN201810233655A CN108388969A CN 108388969 A CN108388969 A CN 108388969A CN 201810233655 A CN201810233655 A CN 201810233655A CN 108388969 A CN108388969 A CN 108388969A
Authority
CN
China
Prior art keywords
personage
inside threat
threat
risk
lstm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201810233655.1A
Other languages
Chinese (zh)
Inventor
罗森林
陈骋
潘丽敏
曲乐炜
张笈
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201810233655.1A priority Critical patent/CN108388969A/en
Publication of CN108388969A publication Critical patent/CN108388969A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/04Forecasting or optimisation specially adapted for administrative or management purposes, e.g. linear programming or "cutting stock problem"
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/044Recurrent networks, e.g. Hopfield networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management
    • G06Q10/0635Risk analysis of enterprise or organisation activities

Abstract

The present invention relates to inside threat personage's Risk Forecast Methods based on temporal aspect, belong to computer and information science technical field.The present invention is pre-processed first to the accumulated history behavioural information of personage and feature extraction, includes quantization sampling, preemphasis and the adding window to people information, and will be extracted as corresponding numerical characteristic from multiple field heterogeneous character data;Then inside threat personage's prediction model compound training is carried out, inside threat personage's risk forecast model based on LSTM is built;Inside threat personage's risk forecast model based on LSTM is finally used to carry out risk profile assessment and early warning.The present invention has higher accuracy rate compared to other common methods, provides a kind of foundation of quantization inside threat for enterprise, provides a kind of inside threat personage's modes of warning of layering.

Description

Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect
Technical field
The present invention relates to inside threat personage's Risk Forecast Method based on personal behavior temporal aspect, belong to computer with Information science technology field.
Background technology
In tissue or enterprises, generally require to monitor inside threat personage in real time and behavior prediction.By filling Divide the accumulated history behavioural information using personage to predict personage's behavior, and inside threat assessment is carried out to personage, to dangerous people Object carries out early warning.Therefore, the present invention comes a kind of inside threat personage Risk Forecast Method is provided to enterprise or organization internal Personage carries out risk assessment and early warning.
Inside threat personage's Risk Forecast Method needs the basic problem that solves to be:The historical behavior letter added up by personage It ceases to predict personage's behavior, detects the improper behavior of personage, and prediction result is quantified, formulate inside threat grade and draw Minute mark is accurate, and carries out inside threat assessment to personage, carries out early warning to the personage that assessment result is high-risk and middle danger, reduces tissue Or the Information Security Risk of enterprise.It can be classified as two classes usually using method:
1. inside threat personage's prediction technique based on figure digging technology
Inside threat character data, is considered as by inside threat personage prediction technique-GBAD based on figure digging technology for the first time Unlimited data flow, and propose that data flow can be separated into a series of discontinuous pieces, such as each block can include one The data in week mainly consider three kinds of graphic operations, are the modification, insertion and deletion of figure respectively.Although this method is equally based on Sequence characteristics, but GBAD is that inlet flow is divided into different blocks, each block is a subgraph, and what is considered is several before Conditional probability of the information of block to current block.And if as a block, it will cause model instructions by daily behavioural characteristic by GBAD Practice slowly, it is ineffective.In addition, GBAD can not consider all historical informations.Therefore the universality of GBAD is poor, and prediction is accurate True rate is relatively low.
2. being based on Hidden Markov Model (HMM) and inside threat personality resource's abuse prediction technique
Based on Hidden Markov Model (HMM) and inside threat personality resource's abuse prediction technique be one kind with information State of the file of system as model can improve life using the transaction operation of inside threat personage as observation symbol Middle rate reduces rate of false alarm.And the state of personage is indicated using Malcov models, and united using the transition probability matrix of Malcov Transfer number of the personage between different conditions is counted, predicts the abnormal variation of personage on this basis.But Malcov models and HMM is not particularly suited for inside threat scene.Malcov assumes to illustrate that current state is only related with preceding state, and before State is unrelated.Therefore it does not make full use of historical information, can theoretically be solved certainly using high-order Malcov such Problem, but the problem of bringing is then the loss of calculation amount and performance.
In conclusion existing inside threat personage Risk Forecast Method is difficult to adequately utilize historical information, it can not be more Risk assessment accurately is carried out to inside threat personage, so the present invention proposes the inside threat based on personal behavior temporal aspect Personage's Risk Forecast Method.
Invention content
The purpose of the present invention is obtaining a kind of foundation of quantization inside threat, a kind of inside threat personage of layering is provided Early-warning Model improves the comprehensive performance of inside threat personage's risk forecast model.
The present invention design principle be:The accumulated history behavioural information of personage is pre-processed first and feature extraction, Include quantization sampling, preemphasis and the adding window to people information, and will be extracted as accordingly from multiple field heterogeneous character data Numerical characteristic;Then inside threat personage's prediction model compound training is carried out, structure is based on personal behavior temporal aspect and LSTM The inside threat personage's risk forecast model being combined;It finally uses based on personal behavior temporal aspect in LSTM is combined Portion threatens personage's risk forecast model to carry out risk profile assessment.
The technical scheme is that be achieved by the steps of:
Step 1, pretreatment and feature extraction are carried out to people information.
Step 1.1, to people information quantization, sampling, preemphasis and adding window.
Step 1.2,3 kinds of features are extracted from data source:The attributive character of personage, " counting " feature of personage, personage Psychological characteristics.
Step 1.3, further feature extraction and quantization then are carried out to the feature extracted, obtains more fine granularity behavior Feature.
Step 2, inside threat risk forecast model compound training.
Step 2.1, LSTM models are trained using 80% people information characteristic.
Step 2.2, the training data based on people information builds inside threat personage's risk profile archetype.
Step 3, LSTM model risks forecast assessment.
Step 3.1, inside threat personage's risk is carried out on test set using the method based on personal behavior temporal aspect Prediction.
Step 3.2, according to risk profile as a result, being divided according to personage's threat level, to personage's progress inside threat risk Assessment carries out early warning to the personage that assessment result is high-risk and middle danger.
Advantageous effect
Compared to inside threat personage's prediction technique based on figure digging technology, the present invention can be with day for a time point It is handled, historical information all before being utilized LSTM, therefore its effect is more preferable.
Compared to based on Hidden Markov Model (HMM) and inside threat personality resource's abuse prediction technique, this hair It is bright to be more suitable for inside threat scene, more abundant, the loss smaller of calculation amount and performance is utilized to historical information, is had good Universality.
Description of the drawings
Fig. 1 is inside threat personage's risk profile principle framework figure.
Fig. 2 is LSTM and other methods accuracy rate, recall rate and F value comparison diagrams in test experiments.
Specific implementation mode
In order to better illustrate objects and advantages of the present invention, the embodiment of the method for the present invention is done with reference to example It is further described.
Detailed process is:
Step 1, pretreatment and feature extraction are carried out to people information.
Step 1.1, audio data quantified first, sampled;Then by character data vacancy value, exceptional value into Row is screened, and is rejected to exceptional value, and completion is carried out to vacancy value.
Step 1.2,3 kinds of features are extracted from CERT-IT (v6.2) data source:The attributive character of personage, the psychology of personage Feature, " counting " feature of personage.
Step 1.3, further feature extraction and quantization are carried out to the feature extracted, it is special obtains more fine granularity behavior Sign.Data set after treatment is 521 days character datas, and eliminates the data at weekend, because the data at weekend may Workaday Behavior law is not met.
Step 2, inside threat risk forecast model compound training.
Step 2.1, it was used as training set by the 1st day to the 417th day, for training LSTM models, by the 418th day to the 521st It is as test set.During training LSTM, the quantity (from 1 to 6) of its hidden layer is adjusted, the nerve of its hidden layer is adjusted First quantity (from 20-500), adjusts its time step (from 3 to 40), sets the batch of each sample input as 260, learning rate It is set as 0.01, selection mean square error is loss function, and optimization method is using ADAM (a kind of mutation that gradient declines).
Step 2.2, when obtaining the output h of t-1 moment hidden layerst-1, it is inside threat personage's to define personage in t moment Score Tt=-1000logPθ(xt|ht-1).θ is the output of model, and meaning is the observation vector x of subsequent time personage's behaviort Conditional probability distribution.xtIt is the observation vector of t moment personage's behavioural characteristic, ht-1It is the output vector of t-1 moment hidden layers, Personage's behavior historical information before t-1 lies in ht-1In.Therefore, according to ht-1With observation vector xtConditional probability Pθ(xt| ht-1) it there has been specific meaning.TtIt is smaller, illustrate that personage's behavior is not abnormal variation, then it is assumed that internal prestige occurs for personage The probability of the side of body is low.TtIt is bigger, illustrate that personage's behavior is abnormal variation and does not meet personage's normal behaviour trend, then it is assumed that Ren Wufa The probability of raw inside threat is high.
Step 3, LSTM model risks forecast assessment.
Step 3.1, the conditional probability P in risk prediction modelθ(xt|ht-1)Pθ(Y)(Vt|ht-1) can be expressed as
Wherein,θ (V), θ (Y) are then the output of LSTM hidden layers,The calculation formula of θ (V), θ (Y) are as follows:
θ (V)=o (V)t⊙tanh(c(V)t)
θ (Y)=o (Y)t⊙tanh(c(Y)t)
Wherein trained parameter is weight matrix W and bigoted matrix b, the two parameters are shared to all persons.It is logical It crosses LSTM and obtains conditional probability distribution, then can carry out the calculating of conditional probability, its hair can be calculated by conditional probability distribution Raw conditional probability finally obtains inside threat risk profile probability, and is translated into inside threat personage scoring.
Step 3.2, personage's threat level can be carried out according to inside threat personage's risk profile result and threat scoring to draw Point.And according to division result, inside threat risk assessment is carried out to personage, the personage that assessment result is high-risk and middle danger is carried out Early warning.
Test result:Experiment is using the inside threat personage risk forecast model based on personal behavior temporal aspect to processing Test set afterwards is predicted, and is compared with other several common methods, the results showed that the present invention compares other models Effect is more preferable, accuracy rate 89.65%, recall rate 90.75%, and F values are 90.20%, can carry out risk profile to personage. Effect is shown in Fig. 2, provides a kind of foundation of quantization inside threat for enterprise, provides a kind of inside threat personage's early warning of layering Pattern.
Above-described specific descriptions have carried out further specifically the purpose, technical solution and advantageous effect of invention It is bright, it should be understood that the above is only a specific embodiment of the present invention, the protection model being not intended to limit the present invention It encloses, all within the spirits and principles of the present invention, any modification, equivalent substitution, improvement and etc. done should be included in the present invention Protection domain within.

Claims (3)

1. inside threat personage's Risk Forecast Method based on personal behavior temporal aspect, it is characterised in that the method includes such as Lower step:
Step 1, pretreatment and feature extraction are carried out to people information, including:Abnormal data is rejected, to AFR control into Row completion, character numerical value is standardized, then from 3 kinds of features of extracting data:The attributive character of personage, personage Psychological characteristics, " counting " feature of personage, finally carry out fine-grained feature extraction and merge to obtain feature vector again;
Step 2, inside threat risk forecast model is built using LSTM algorithms, the characteristic of personage is trained, finally It obtains inside threat risk profile probability, and is translated into inside threat personage scoring;
Step 3, personage's threat level division can be carried out according to inside threat personage's risk profile result and threat scoring, according to Personage's threat level criteria for classifying carries out inside threat assessment to personage, is carried out to the personage that assessment result is high-risk and middle danger Early warning.
2. inside threat personage's Risk Forecast Method according to claim 1 based on personal behavior temporal aspect, special Sign is:The scoring formula of inside threat risk forecast model based on LSTM algorithms structure in step 2 is Tt=-1000logPθ (xt|ht-1), θ is the output of model, and meaning is the observation vector x of subsequent time personage's behaviortConditional probability distribution, xtIt is The observation vector of t moment personage's behavioural characteristic, ht-1It is the output vector of t-1 moment hidden layers, personage's behavior before t-1 is gone through History embodying information is in ht-1In.
3. inside threat personage's Risk Forecast Method according to claim 1 based on personal behavior temporal aspect, special Sign is:Conditional probability P in step 2θ(xt|ht-1) calculation formula it is as follows:
Andθ (V), θ (Y) are then the output of LSTM hidden layers,The calculation formula of θ (V), θ (Y) are as follows:
θ (V)=o (V)t⊙tanth(c(V)t)
θ (Y)=o (Y)t⊙tanth(c(Y)t)
Wherein trained parameter is weight matrix W and bigoted matrix b;Conditional probability distribution is obtained by LSTM risk evaluation models The conditional probability for calculating its generation, finally obtains inside threat risk profile probability, and be translated into inside threat personage and comment Point.
CN201810233655.1A 2018-03-21 2018-03-21 Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect Pending CN108388969A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810233655.1A CN108388969A (en) 2018-03-21 2018-03-21 Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810233655.1A CN108388969A (en) 2018-03-21 2018-03-21 Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect

Publications (1)

Publication Number Publication Date
CN108388969A true CN108388969A (en) 2018-08-10

Family

ID=63068254

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810233655.1A Pending CN108388969A (en) 2018-03-21 2018-03-21 Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect

Country Status (1)

Country Link
CN (1) CN108388969A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829382A (en) * 2018-12-30 2019-05-31 北京宇琪云联科技发展有限公司 The abnormal object early warning tracing system and method for Behavior-based control feature intelligent analysis
CN110096499A (en) * 2019-04-10 2019-08-06 华南理工大学 A kind of the user object recognition methods and system of Behavior-based control time series big data
CN110138763A (en) * 2019-05-09 2019-08-16 中国科学院信息工程研究所 A kind of inside threat detection system and method based on dynamic web browsing behavior
CN110442908A (en) * 2019-07-02 2019-11-12 合肥工业大学 For assessing the method, system and storage medium of aircraft track risk
CN110704469A (en) * 2019-10-22 2020-01-17 北京明略软件系统有限公司 Updating method and updating device of early warning level and readable storage medium
CN110909348A (en) * 2019-09-26 2020-03-24 中国科学院信息工程研究所 Internal threat detection method and device
CN111292832A (en) * 2020-01-22 2020-06-16 浙江连信科技有限公司 Intelligent terminal based psychological crisis personnel active prediction method and device
CN111967011A (en) * 2020-07-10 2020-11-20 电子科技大学 Interpretable internal threat assessment method
CN112329974A (en) * 2020-09-03 2021-02-05 中国人民公安大学 LSTM-RNN-based civil aviation security event behavior subject identification and prediction method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2137620A4 (en) * 2007-04-24 2011-03-30 Mitre Corp Insider threat detection
CN105516127A (en) * 2015-12-07 2016-04-20 中国科学院信息工程研究所 Internal threat detection-oriented user cross-domain behavior pattern mining method
CN107121679A (en) * 2017-06-08 2017-09-01 湖南师范大学 Recognition with Recurrent Neural Network predicted method and memory unit structure for Radar Echo Extrapolation

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2137620A4 (en) * 2007-04-24 2011-03-30 Mitre Corp Insider threat detection
CN105516127A (en) * 2015-12-07 2016-04-20 中国科学院信息工程研究所 Internal threat detection-oriented user cross-domain behavior pattern mining method
CN107121679A (en) * 2017-06-08 2017-09-01 湖南师范大学 Recognition with Recurrent Neural Network predicted method and memory unit structure for Radar Echo Extrapolation

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AARON TUOR等: "Deep Learning for Unsupervised Insider Threat Detection", 《GOOGLE》 *
SANTOSH ADITHAM等: "LSTM-based Memory Profiling for Predicting Data Attacks in Distributed Big Data Systems", 《2017年IEEE国际并行和分布式处理研讨会》 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109829382A (en) * 2018-12-30 2019-05-31 北京宇琪云联科技发展有限公司 The abnormal object early warning tracing system and method for Behavior-based control feature intelligent analysis
CN110096499A (en) * 2019-04-10 2019-08-06 华南理工大学 A kind of the user object recognition methods and system of Behavior-based control time series big data
CN110138763A (en) * 2019-05-09 2019-08-16 中国科学院信息工程研究所 A kind of inside threat detection system and method based on dynamic web browsing behavior
CN110138763B (en) * 2019-05-09 2020-12-11 中国科学院信息工程研究所 Internal threat detection system and method based on dynamic web browsing behavior
CN110442908A (en) * 2019-07-02 2019-11-12 合肥工业大学 For assessing the method, system and storage medium of aircraft track risk
CN110442908B (en) * 2019-07-02 2022-09-27 合肥工业大学 Method, system and storage medium for assessing risk of trajectory of aircraft
CN110909348B (en) * 2019-09-26 2022-06-10 中国科学院信息工程研究所 Internal threat detection method and device
CN110909348A (en) * 2019-09-26 2020-03-24 中国科学院信息工程研究所 Internal threat detection method and device
CN110704469A (en) * 2019-10-22 2020-01-17 北京明略软件系统有限公司 Updating method and updating device of early warning level and readable storage medium
CN110704469B (en) * 2019-10-22 2022-11-11 北京明智和术科技有限公司 Updating method and updating device of early warning level and readable storage medium
CN111292832A (en) * 2020-01-22 2020-06-16 浙江连信科技有限公司 Intelligent terminal based psychological crisis personnel active prediction method and device
CN111967011A (en) * 2020-07-10 2020-11-20 电子科技大学 Interpretable internal threat assessment method
CN112329974A (en) * 2020-09-03 2021-02-05 中国人民公安大学 LSTM-RNN-based civil aviation security event behavior subject identification and prediction method and system
CN112329974B (en) * 2020-09-03 2024-02-27 中国人民公安大学 LSTM-RNN-based civil aviation security event behavior subject identification and prediction method and system

Similar Documents

Publication Publication Date Title
CN108388969A (en) Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect
Lin et al. Using machine learning to assist crime prevention
CN104216954B (en) The prediction meanss and Forecasting Methodology of accident topic state
CN104794192B (en) Multistage method for detecting abnormality based on exponential smoothing, integrated study model
CN110188192B (en) Multi-task network construction and multi-scale criminal name law enforcement combined prediction method
CN108831153A (en) A kind of traffic flow forecasting method and device using spatial and temporal distributions characteristic
CN109726246A (en) One kind being associated with reason retrogressive method with visual power grid accident based on data mining
CN109034194A (en) Transaction swindling behavior depth detection method based on feature differentiation
CN106254317A (en) A kind of data security exception monitoring system
CN115081918B (en) Rail transit risk point prediction method and system based on data driving
CN112101520A (en) Risk assessment model training method, business risk assessment method and other equipment
CN104050361A (en) Intelligent analysis early warning method for dangerousness tendency of prison persons serving sentences
CN110290120A (en) A kind of timing evolved network safe early warning method of cloud platform
CN113689958A (en) Big data-based chronic disease condition prediction method and system and storage medium
CN110009224A (en) Suspect's violation probability prediction technique, device, computer equipment and storage medium
CN106649050A (en) Multi-parameter running situation graphic representation method for time sequential system
CN106952190A (en) False source of houses typing Activity recognition and early warning system
CN113626606B (en) Information classification method, device, electronic equipment and readable storage medium
CN112084240B (en) Intelligent identification and linkage treatment method and system for group renting
CN112491891B (en) Network attack detection method based on hybrid deep learning in Internet of things environment
CN112488719A (en) Account risk identification method and device
CN104156963B (en) Automatic authenticating method of electrical fire hazard melted mark physical evidence
CN114519524A (en) Enterprise risk early warning method and device based on knowledge graph and storage medium
CN106681980B (en) A kind of refuse messages analysis method and device
WO2021168617A1 (en) Processing method and apparatus for service risk management, electronic device, and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20180810

WD01 Invention patent application deemed withdrawn after publication