CN110138763A - A kind of inside threat detection system and method based on dynamic web browsing behavior - Google Patents

A kind of inside threat detection system and method based on dynamic web browsing behavior Download PDF

Info

Publication number
CN110138763A
CN110138763A CN201910384493.6A CN201910384493A CN110138763A CN 110138763 A CN110138763 A CN 110138763A CN 201910384493 A CN201910384493 A CN 201910384493A CN 110138763 A CN110138763 A CN 110138763A
Authority
CN
China
Prior art keywords
user
behavior
data
browsing
user group
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201910384493.6A
Other languages
Chinese (zh)
Other versions
CN110138763B (en
Inventor
于爱民
王佳荣
蔡利君
孟丹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Information Engineering of CAS
Original Assignee
Institute of Information Engineering of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Information Engineering of CAS filed Critical Institute of Information Engineering of CAS
Priority to CN201910384493.6A priority Critical patent/CN110138763B/en
Publication of CN110138763A publication Critical patent/CN110138763A/en
Application granted granted Critical
Publication of CN110138763B publication Critical patent/CN110138763B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention relates to a kind of inside threat detection systems and method based on dynamic web browsing behavior, are made of 5 modules: acquisition module, data prediction and the memory module of subscriber's main station web-browsing data, personal user's abnormal behavior detection module, user group abnormal behavior detection module, information fusion and inside threat testing result output module in tissue or enterprise.The system is realized by the filtering and denoising of collection, data to tissue or enterprise's industrial customers web-browsing data, the modeling of personal user's web-browsing behavior dynamic and abnormality detection, the modeling of user group behavior relative uniformity and abnormality detection, information fusion and testing result 5 processes of output, makes system inside threat verification and measurement ratio with higher and lower rate of false alarm.In addition, the system finds the user group relationship in tissue or enterprise by figure clustering algorithm automatically, the intelligence of system is improved, reduces the workload of artificial mark user group.

Description

A kind of inside threat detection system and method based on dynamic web browsing behavior
Technical field
The present invention relates to a kind of inside threat detection systems and method based on dynamic web browsing behavior, belong to information peace Full technical field.
Background technique
Inside threat is network, system and the data that the internal user of malice utilizes the privilege access tissue of oneself, and Destroy the confidentiality, integrity, and availability [1] of organizational information.Detection inside threat be realize tissue protect comprehensively it is primary Task.The internal user of malice is divided into disguiser and runagate [11].Disguiser passes through the certificate stolen and logs in legitimate user's Account executes malicious operation, and runagate is to execute malicious act using the account of oneself.No matter disguiser or betrayal Person, malice or uncommon behavior all will deviate from normally performed activity mode.Therefore, a large amount of research passes through the detection that undergoes an unusual development Technology prevents and detects inside threat.According to the data source of use, can be divided based on abnormal inside threat detection technique For two classes: Intrusion Detection based on host and being based on network.The method of Intrusion Detection based on host is widely used in disguiser's detection, mainly passes through host journey Sequence;Such as UNIX command, keyboard and mouse dynamic are used to model operation intention of user and then identify whether it is normal users.Separately On the one hand, the network flow that network-based method is collected using network core device such as interchanger, router and firewall Amount, or for example act on behalf of using server, the log of mail and vpn server generation detects the threat of the application layer of malice.
Traditional network behavior method for detecting abnormality from network flow by extracting series of features, such as IP agreement, net The quantity of network packet, the byte-sized for connecting duration and each network packet, input supervision or non-supervisory machine learning algorithm [2-5]. However such method is chiefly used in detecting the exception of the generation of the machine as caused by Botnet, DDOS and Malware, is not needle The browsing behavior generated to user's operation is abnormal.In addition to this, in order to prevent data theft or financial swindling, the calculation based on figure Method is applied to the abnormal mail communication [6] of detection.The mail communication figure middle school being made up of the mail communication between different user Normal communication pattern (figure minor structure) is practised, when the communication and normal mode tested when one are inconsistent, abnormality detection system hair Abnormality alarming out.However, the behavior of personal user is not by independent analysis in such method.Further, certain methods combine Analyze a plurality of types of network logs [7-10], these methods usually from different network log (such as agency, VPN and DHCP log) in extract a series of feature, then input machine learning or deep learning frame.However, such method needs Feature Engineering is carried out dependent on the experience of domain expert, and when unknown form occurs in the behavior of malice, such side Method failure.
Web browsing behavior modeling method is chiefly used in user-customized recommended system, the main content of pages by browsing [13] or the models such as the hobby of text [14] Lai Jianli user of input.However it is led in network security and inside threat Domain, web-browsing behavior modeling method are but seldom studied.Only a small amount of work modeling web-browsing behavior carries out user's knowledge Not.[15] 4 user models are established by page access frequency and page browsing time, selects the highest N number of domain of access frequency Name characterizes user vector.[16] by the N number of browse mode of method choice based on support and based on lift come feature Change user vector.However, both the above method models user behavior by fixed User browsing pattern, it is clear to have ignored user Look at the dynamic changeability of behavior.
Perhaps enterprises user is needed online retrieving information or is completed work times using online office system tissue The high frequency of business, user's web-browsing behavior provides approach for inside threat detection.However existing a small amount of user oriented The web-browsing behavior analysis method of Activity recognition has ignored in the dynamic changeability and identical working group of user browsing behavior and uses The relative uniformity of family behavior results in the high rate of false alarm of user behavior abnormality detection.
[1]Costa D.L.,Albrethsen M.J.,Collins M.L.,et al.:An insider threat indicator on-tology. TECHNICAL REPORT CMU/SEI.Pittsburgh,PA:SEI,Tech.Rep., 2016.
[2]Gu G.:Botsni_er:Detecting botnet command and control channels in network traffic. Annual Network and Distributed System Security Symposium.2008.
[3]Strayer W.T.,Walsh R.,Livadas C.,et al.:Detecting botnets with tight command and control.IEEE Conference on Local Computer Networks.IEEE, 2006.
[4]Strayer W.T.,Lapsely D.,Walsh R.,et al.:Botnet detection based on network behavior. Botnet Detection.Springer,2008,pp.1-24.
[5]Al-Bataineh A.and White G.:Analysis and detection of malicious data exfiltration in web traffic.Malicious and Unwanted Software(MALWARE) .IEEE,2012.
[6]Eberle W.,Graves J.,and Holder L.:Insider threat detection using a graph-based approach.Journal of Applied Security Research,vol.6,no.1,pp.32 {81,2010.
[7]Yen T.F.:Beehive:Large-scale log analysis for detecting suspicious activity in enterprise networks.Annual Computer Security Applications Conference.2013.
[8]Ted E.,Goldberg H.G.,Memory A.,et al.:Detecting insider threats in a real corporate database of computer usage activity.19th ACM SIGKDD,2013.
[9]Young W.T.,Goldberg H.G.,et al.:Use of domain knowledge to detect insider threats in computer activities.Security and Privacy Workshops(SPW) .2013.
[10]Tuor A.:Deep learning for unsupervised insider threat detection in structured cybersecurity data streams.AI for Cybersecurity Workshop at AAAI,2017.
[11]Salem M B,Hershkop S,Stolfo S J.A Survey of Insider Attack Detection Research. 2008.
[12]M.Pavan and M.Pelillo,“A new graph-theoretic approach to clustering and segmentation,”Proc.2003IEEE Comput.Soc.Conf.Comput.Vis.Pattern Recognit.-CVPR’03, vol.1,pp.I-145-I-152,2003.
[13]Hawalah A.,Fasli M.:Dynamic user pro_les for web personalisation.Expert Systems with Applications,vol.42,no.5,pp.2547-2569, 2015.
[14]Radinsky K.,Svore K.,Dumais S.,et al.:Modeling and predicting behavioral dynamics on the web.Proc of the International Conference on World Wide Web.2012.
[15]Yang Y.:Web user behavioral pro_ling for user identification.Decision Support Systems, vol.49,no.3,pp.261-271,2010.
[16]Fan X.,Chow K.,Xu F.,et al.:Web User Pro_ling Based on Browsing Behavior Analysis. Advances in Digital Forensics X.Springer,2014.
Summary of the invention
The technology of the present invention solves the problems, such as: overcoming the deficiencies of the prior art and provide a kind of based in dynamic web browsing behavior Portion's threat detection system and method comprehensively consider the dynamic of user's web-browsing behavior and the consistency of user group behavior, mention The high accuracy rate of the system detection, reduces the rate of false alarm of system detection;In addition, the system is automatic by figure clustering algorithm It was found that the user group relationship in tissue or enterprise, improves the intelligence of system, reduce the work of artificial mark user group Amount.
The technology of the present invention solution: a kind of inside threat detection system based on dynamic web browsing behavior, such as Fig. 1 institute Show, including data collection and abnormality detection, abnormality detection is responsible for the rear end parsing and analysis work of the transmitted data of data collection Make, data collection includes acquisition module, data prediction and the storage of subscriber's main station web-browsing data in tissue or enterprise Module.The user browsing behavior data that abnormality detection analysis is collected include personal user's abnormal behavior detection module, user group row For abnormality detection module, information fusion and inside threat testing result output module.Wherein above-mentioned each module is accomplished by
Web browsing data acquisition module: it disposes and examines on hosts that need to monitor in tissue or enterprise, important persons Node is counted, for acquiring the web-browsing data of host, acquires the online resource accessed by browser or system;
Data prediction and memory module: being sent to server by the web-browsing initial data of audit node acquisition, and It stores data into the database of server, the redundant data and data field for including recurring audit due to initial data are not Complete deficiency of data needs to be filtered data, extracts effective data, and by the significant figure after pretreatment According to being stored again in database, so that abnormality detection carries out data analysis;
Personal user's abnormal behavior detection module: in tissue or enterprises, the task and hobby of user As the variation of time is that dynamic changes, by extracting personal web-browsing data from the database of server, power is utilized Distribution establishes personal user's normally performed activity and changes model, and the journey of power distribution is deviateed according to the change of personal user's browsing behavior The intensity of anomaly of degree assessment personal user's behavior, i.e., abnormal score;
User group abnormal behavior detection module: due to executing similar work in tissue or the same user group of enterprises Make task or identical project, so that personal user and the change of behavior or the behavior of the other users in the user group have Relative uniformity, thus according to the departure degree of other users behavior in user browsing behavior and user group assessment user with Intensity of anomaly in the group behavior of family, i.e., abnormal score;The module establishes in tissue or enterprise customer relationship network simultaneously simultaneously The automatic extraction that user group relationship is realized using figure clustering method reduces the workload of artificial mark user group;
Information Fusion Module: the behavior due to organizing or looking forward to industrial customers had both had personal dynamic changeability or had had The behavior relative uniformity of user group, therefore utilize the fusion personal user's behavior of the linear model of weight and user group behavior.It is logical It crosses and comprehensively considers the exception of user behavior in conjunction with the intensity of anomaly of personal user's behavior and the intensity of anomaly of user group behavior, The accuracy rate that can be improved detection and the rate of false alarm for reducing detection pass through the threshold value of setting for the abnormal score finally merged Determine and exports the inside threat detected.
The web browsing data acquisition module realizes that steps are as follows:
(1) deployment audit node on hosts that need to monitor in tissue or enterprise, important persons;
(2) audit node acquires the online resource or system that user on the host is accessed by browser in real time, audit Data field includes access time and domain name;
(3) it sends server in real time by the web-browsing initial data of audit.
The data prediction and memory module realize that steps are as follows:
(1) the web-browsing initial data that node is sent in real time that will audit is stored into the database of server;
(2) since audit node may repeatedly send same browsing data, duplicate redundant data is carried out Filtering.For the browsing data of identical access time point, only retains data record, delete remaining data record.
(3) deficiency of data of domain name field missing in initial data is deleted;
(4) according to time sequence by the browsing data of each user;
(5) valid data after sequence are stored again in database, so that abnormality detection carries out data analysis.
Personal user's abnormal behavior detection module realizes that steps are as follows:
(1) from the web-browsing data after the pretreatment for extracting personal user to be analyzed in database;
(2) presetting one day is a period, and the domain name field in the browsing data of the user all periods is pressed Time order and function number, different domain names correspond to different numbers.
(3) due to the change of task and interest, user can browse new domain name daily.New domain name refers to the time Section is compared to period emerging domain name before.The domain name change profile for modeling user's normal browsing is distributed using power, The relation function of i.e. new domain name and time;
(4) the browsing time section for setting user is indicated with t, uses the domain name of preceding k period, i.e. 1≤t≤k period Domain name, by least square fitting power distribution function, study obtains the parameter of function;
(5) for time period t to be detected, t > k compares the domain name number deviation power point of t period user browsing The degree of cloth changes exception to assess the user behavior;
(6) personal user's abnormal behavior journey of the different time period ts to be detected of personal user's abnormal behavior detection module output Degree.
The user group abnormal behavior detection module realizes that steps are as follows:
(1) the web-browsing data of all users after extracting pretreatment in database;
(2) bipartite graph is constructed using the domain name of k period browsing before all users, the vertex of bipartite graph is useful The domain name at family and browsing, the side of bipartite graph are connected to a user and a domain name, and the weight on side is that user browses domain name Number;
(3) indicate that bipartite graph, the element of matrix are the frequency that a user browses a domain name using adjacency matrix;
(4) the distance between user and user are calculated according to adjacency matrix;
(5) similarity converted the distance between user and user between user and user;
(6) customer relationship network in tissue or enterprise is constructed, the vertex of network is all users, and the side of network connects Two users, similarity of the weight between user and user on side;
(7) the user group relationship in tissue or enterprise is found automatically using figure clustering algorithm, reduce artificial mark and use The workload of family group;
(8) due to executing similar task or identical project in tissue or the same user group of enterprises, So that the change of behavior or the behavior of the other users in personal user and the user group has opposite consistency.Using institute There is the domain name that k period browses before user, by comparing other use in the domain name and affiliated user group of user browsing The difference of the domain name of family browsing, to quantify the normally performed activity consistency of the user and user group;
(9) for time period t to be detected, t > k compares the domain name and affiliated user that the t period user browses The difference for the domain name that other users browse in group;
(10) difference of the difference of time period t period (t > k) domain name more to be detected and preceding k period domain name Not, the departure degree of t period difference is assessed to intensity of anomaly of the user in user group behavior;
(11) the user behavior intensity of anomaly of the different time period ts to be detected of user group abnormal behavior detection module output.
The information Fusion Module realizes that steps are as follows:
(1) for user u to be detected, the difference of the user of personal user's abnormal behavior detection module output is to be checked Survey personal user's abnormal behavior Score Normalization of time period t;
(2) for user u to be detected, the difference of the user of user group abnormal behavior detection module output is to be detected The user behavior exception Score Normalization of time period t;
(3) due to organizing or looking forward to the behavior of industrial customers both there is personal dynamic changeability or there is the row of user group For relative uniformity, thus using the abnormal score of personal user's behavior after the fusion normalization of the linear model of weight and The abnormal score of user group behavior, to comprehensively consider the exception of user behavior;
(4) for user u to be detected, by the threshold of the abnormal score of the difference time period t to be detected finally merged and setting Value compares, and if more than threshold value, then the system determines the user u in time period t abnormal behavior, and it is different to export this that detect Often, i.e. inside threat.Since inside threat detects while considering two aspects of personal user's behavior and user group behavior, mention The high accuracy rate of the system detection, reduces the rate of false alarm of system detection.
Present invention simultaneously provides a kind of inside threat detection methods based on dynamic web browsing behavior, comprising: data collection Part and abnormality detection part, data collection section includes: the acquisition of subscriber's main station web-browsing data in tissue or enterprise Step, data prediction and storing step;The user browsing behavior data that the analysis of abnormality detection part is collected;Abnormity detection portion Dividing includes: personal user's abnormal behavior detecting step, user group abnormal behavior detecting step, information fusion steps, inside threat Testing result exports step, in which:
Web browsing data collection steps: it disposes and examines on hosts that need to monitor in tissue or enterprise, important persons Node is counted, for acquiring the web-browsing data of host, acquires the online resource accessed by browser or system;
Data prediction and storing step: being sent to server by the web-browsing initial data of audit node acquisition, and It stores data into the database of server, the redundant data and data field for including recurring audit due to initial data are not Complete deficiency of data needs to be filtered data, extracts effective data, and by the significant figure after pretreatment According to being stored again in database, so that abnormality detection carries out data analysis;
Personal user's abnormal behavior detecting step: in tissue or enterprises, the task and hobby of user As the variation of time is that dynamic changes, by extracting personal web-browsing data from the database of server, power is utilized Distribution establishes personal user's normally performed activity and changes model, and the journey of power distribution is deviateed according to the change of personal user's browsing behavior The intensity of anomaly of degree assessment personal user's behavior, i.e., abnormal score;
User group abnormal behavior detecting step: due to executing similar work in tissue or the same user group of enterprises Make task or identical project, so that personal user and the change of behavior or the behavior of the other users in the user group have Relative uniformity, thus according to the departure degree of other users behavior in user browsing behavior and user group assessment user with Intensity of anomaly in the group behavior of family, i.e., abnormal score;The module establishes in tissue or enterprise customer relationship network simultaneously simultaneously The automatic extraction that user group relationship is realized using figure clustering method reduces the workload of artificial mark user group;
Information fusion steps: the behavior due to organizing or looking forward to industrial customers had both had personal dynamic changeability or had had The behavior relative uniformity of user group, therefore utilize the fusion personal user's behavior of the linear model of weight and user group behavior;It is logical It crosses and comprehensively considers the exception of user behavior in conjunction with the intensity of anomaly of personal user's behavior and the intensity of anomaly of user group behavior, It can be improved the accuracy rate of detection and reduce the rate of false alarm of detection, the abnormal score finally merged;
Inside threat testing result exports step, for the abnormal score finally merged, simultaneously by the threshold determination of setting Export the inside threat detected.
The advantages of the present invention over the prior art are that: since web-browsing behavior directly or indirectly reflects one The network activity of a little malice, such as leaking data, the unauthorized access for organizing online resource and information system, therefore detect different Normal web-browsing behavior is to realize the vital task of organization protection.(1) present invention establishes user's dynamic view by power distribution Behavior model, with it is existing based on static user browsing behavior analysis method compared with, provide more accurate personal user's browsing Behavior depicting method.(2) present invention has found user group relationship by the clustering method based on figure automatically, reduces artificial mark The workload of user group.(3) present invention establishes user group behavior model, with existing user browsing behavior recognition methods phase Than providing more fully user browsing behavior and portraying angle.(4) present invention is by combining personal user's behavior and user group Behavior comprehensively considers the exception of user behavior, can be improved the accuracy rate of detection and reduces the rate of false alarm of detection.
Detailed description of the invention
Fig. 1 is the system block diagram of invention;
Fig. 2 is a, b, c in the present invention, and d is respectively the domain name access behavior of 4 users;
Fig. 3 is customer relationship network struction process in the present invention.
Specific embodiment
The following describes the present invention in detail with reference to the accompanying drawings and embodiments.
As shown in Figure 1, the present invention includes data collection and abnormality detection, abnormality detection is responsible for the transmitted data of data collection Rear end parsing and analysis work, data collection includes the acquisition mould of subscriber's main station web-browsing data in tissue or enterprise Block, data prediction and memory module.The user browsing behavior data that abnormality detection analysis is collected include that personal user's behavior is different Normal detection module, user group abnormal behavior detection module, information fusion and inside threat testing result output module.
(1) web browsing data acquisition module: hosts that need to monitor in tissue or enterprise, important persons top Administration's audit node acquires the online resource accessed by browser or system for acquiring the web-browsing data of host;
(2) service data prediction and memory module: is sent to by the web-browsing initial data of audit node acquisition Device, and store data into the database of server, since initial data includes the redundant data and data word of recurring audit The incomplete deficiency of data of section, needs to be filtered data, extracts effective data, and by having after pretreatment Effect data are stored again in database, so that abnormality detection carries out data analysis;
(3) personal user's abnormal behavior detection module: in tissue or enterprises, the task and interest of user Hobby is that dynamic changes with the variation of time, by extracting personal web-browsing data, benefit from the database of server Personal user's normally performed activity is established with power distribution and changes model, and power distribution is deviateed according to the change of personal user's browsing behavior Scale evaluation personal user's behavior intensity of anomaly, i.e., abnormal score;
(4) user group abnormal behavior detection module: similar due to being executed in tissue or the same user group of enterprises Task or identical project so that the change of behavior or the behavior of the other users in personal user and the user group User is assessed with relative uniformity, therefore according to the departure degree of other users behavior in user browsing behavior and user group Intensity of anomaly in user group behavior, i.e., abnormal score;The module establishes customer relationship net in tissue or enterprise simultaneously Network and the automatic extraction that user group relationship is realized using figure clustering method reduce the workload of artificial mark user group;
(5) information Fusion Module: the behavior due to organizing or looking forward to industrial customers both had personal dynamic changeability or Behavior relative uniformity with user group, therefore utilize the fusion personal user's behavior of the linear model of weight and user group row For.User behavior is comprehensively considered by the intensity of anomaly of intensity of anomaly and user group behavior in conjunction with personal user's behavior Abnormal, the accuracy rate that can be improved detection and the rate of false alarm for reducing detection pass through setting for the abnormal score finally merged Threshold determination and the inside threat that detects of output.
Above-mentioned 5 modules are described in detail respectively below.
Step 1:Web browses data acquisition module
(1) deployment audit node on hosts that need to monitor in tissue or enterprise, important persons;
(2) audit node acquires the online resource or system that user on the host is accessed by browser in real time, audit Data field includes: access time, host number, user name, domain name.
(3) it sends server in real time by the web-browsing initial data of audit.
Step 2: data prediction and memory module
(1) the web-browsing initial data that node is sent in real time that will audit is stored into the database of server;
(2) since audit node may repeatedly send same browsing data, duplicate redundant data is carried out Filtering.Browsing data identical for same time point only retain data record, delete remaining data record;
(3) include access time, host number, 4 user name, domain name fields in initial data, delete in initial data The deficiency of data of field missing;
(4) using the browsing data of the same subscriber name under same host number as the browsing number of an individual user According to, and according to time sequence by the web-browsing data of the user;
(5) valid data after sequence are stored again in database, so that abnormality detection carries out data analysis.
Step 3: personal user's abnormal behavior detection module
(1) the web-browsing data in database after the pretreatment of 4 users are selected first;
(2) presetting one day is a period, by the domain name field in the browsing data of each user all periods It in chronological sequence numbers, different domain names corresponds to different numbers;
(3) the different domain names that everyone accesses daily are visualized and see Fig. 2.Abscissa indicates the different periods in figure, indulges The different domain names that coordinate representation user accesses within the corresponding period, different domain names are numbered with different domain names, i.e. domain name Sequence number indicates.User can browse new domain name daily as can be seen from FIG. 2.New domain name refers to period compared to before Period emerging domain name;
(4) due to the change of task and interest, user can browse new domain name daily.The present invention is distributed using power Model the domain name change profile of user's normal browsing, i.e., the relation function of new domain name and time.Set the different clear of user Look at the period is indicated with t, then above-mentioned can be to be distributed letter in the domain name of t-th of period, one user's access with formalization representation Number:
F (t)=α tγ+b (1)
Function f () is that the domain name of personal user's access changes over time the power distribution function of situation, gives a time Section t substitutes into function, and f (t) then indicates domain name (domain name number) distribution accessed t-th of period of the user, wherein α, γ and b For the parameter of power distribution function;
(5) domain name data browsed using the k period before the user, i.e. 1≤t≤k period domain name data are led to Least square fitting power distribution function is crossed, the value of function parameter α, γ and b are obtained.Least squares formalismization indicates are as follows:
Wherein y (t) indicates t-th of period domain name (domain name number) for actually accessing of the user, and f (t) is that power is distributed The domain name (domain name number) that lower t-th of period user normally accesses;
(6) for time period t to be detected (t > k), the domain name number for comparing t period user browsing deviates power point The degree of cloth changes exception to assess the user behavior, it may be assumed that
ztFor t-th of period personal user's abnormal behavior score (intensity of anomaly).Wherein y (t) indicates t-th of period The domain name (domain name number) that the user actually accesses, f (t) are the domain that power is distributed that lower t-th of period user normally accesses Name.If the deviation of the domain name of the domain name and prediction of actual access is bigger, the behavior of user is more abnormal.Because of the activity of malice It generally requires and accesses new resource, if the domain name of actual access was once visited close to the domain name of prediction or the domain name of actual access It asked, then it is assumed that the behavior of user is normal behaviour;
(7) personal user's abnormal behavior journey of the different time period ts to be detected of personal user's abnormal behavior detection module output It spends (abnormal score).If the user has n period, abnormal score is represented by vector Z=(zt)1×(n-k), k < t≤n. [k, n] is period section to be detected;
(8) detection of personal user's abnormal behavior is carried out for user all in database, and exports the different of relative users Normal score vector.
Step 4: user group abnormal behavior detection module
Due to be not in tissue or enterprises user it is isolated, same user group execute similar task or Identical project, so that the change of personal user and behavior or the behavior of the other users in the user group is with relatively uniform Property, therefore according to the abnormal score (intensity of anomaly) of user behavior and the departure degree of user group behavior assessment user behavior.
(1) the web-browsing data of all users after extracting pretreatment in database;
(2) bipartite graph being constructed using the domain name of k period browsing before all users, bipartite graph, which constructs, sees Fig. 3, two points The vertex of figure is the domain name of all users and browsing, and wherein user's collection is combined intoSet of domains isIf one A user has accessed a domain name and is then connected between the user and domain name with side, and the weight on side is time that user browses domain name Number;
(3) bipartite graph is indicated using adjacency matrix B, Fig. 3, matrix element therein are shown in adjacency matrix B building are as follows:
Wherein count (< uj,rg, time, pc >) and it indicates in a time period t, it is used on the host of host number pc Family ujAccess domain name rgNumber, access time time ∈ t.Adjacency matrix B summarizes user in a period of time and accesses domain name Frequency;
(4) according to adjacency matrix B, the distance between user is calculated.The distance between all two two users can be expressed as Symmetrical matrix D=(dij):
dijIndicate user ui∈ U and user ujThe distance between ∈ U;
(5) similarity between user is converted by the distance between user using Gaussian kernel, between all two two users Similarity can be expressed as similar matrix A=(aij):
aijFor user ui∈ U and user ujSimilarity between ∈ U, the distance between user are negatively correlated.Wherein σ is to use The distance between family variance;
(6) customer relationship network in tissue or enterprise is constructed, Fig. 3 is shown in relational network building, and the vertex of network is all User, the side of network are connected to two users, similarity of the weight between user and user on side.Customer relationship network shape Formula is expressed as G=(U, O, λ), whereinFor all users,For side collection,For positive weights Function.Side right weight is the symmetrical similar matrix A=(a of l × lij);
(7) the user group relationship in tissue or enterprise is found automatically using figure clustering algorithm, reduce artificial mark user The workload of group.For automatic mining user group, the figure clustering algorithm in [12] is used.For user's subset ui ∈ S andCalculate user uiWith user ujBetween relative similarity:
Further, user u is calculatediWith user S { uiBetween global similarity:
Different users is classified as a user group according to following two condition
1)For all ui∈S
2)For all
(8) due to executing similar task or identical project in tissue or the same user group of enterprises, So that the change of behavior or the behavior of the other users in personal user and the user group has opposite consistency.Using institute There is the domain name that k period browses before user, by comparing other use in the domain name and affiliated user group of user browsing The difference of the domain name of family browsing, to quantify the normally performed activity consistency of the user and user group.For the period to be detected T (t > k) compares the difference of the domain name of other users browsing in the domain name and affiliated user group of t period user browsing. The difference of the difference of t period domain name more to be detected and preceding k period domain name, by the departure degree of t period difference To assess intensity of anomaly (abnormal score) of the user in user group behavior, the above-mentioned expression that can be formalized are as follows:
zt' it is t-th of period user group abnormal behavior score (intensity of anomaly).Wherein s is one that step (7) obtain A user group,WithFor user ui∈ U and user upBetween user and user in the distance between ∈ U, i.e. step (4) Distance, k indicate before k period;
(9) the user behavior intensity of anomaly of the different time period ts to be detected of user group abnormal behavior detection module output is (abnormal Score).If the user has n period, abnormal score is represented by vector Z '=(z 't)1×(n-k), k < t≤n.[k,n] For period section to be detected.
Step 5: information Fusion Module
(1) for user u ∈ U to be detected, by the user of personal user's abnormal behavior detection module output it is different to Personal user's abnormal behavior Score Normalization of detection time section t
(2) for user u ∈ U to be detected, the difference of the user of user group abnormal behavior detection module output is to be checked Survey the user behavior exception Score Normalization of time period t:
(3) due to organizing or looking forward to the behavior of industrial customers both there is personal dynamic changeability or there is the row of user group For relative uniformity, thus using the abnormal score of personal user's behavior after the fusion normalization of the linear model of weight and The abnormal score of user group behavior, to comprehensively consider the exception of user behavior.
ht=(1-w) at+w·at
htFor the final abnormal score (intensity of anomaly) of t-th period user behavior, i.e., final fusion results, wherein w ∈ [0,1] is the weight that weight factor is used to adjust the detection of personal user's abnormal behavior and the detection of user group abnormal behavior.Work as w When=1, the detection of user group abnormal behavior is only existed, as w=0, only exists the detection of personal user's abnormal behavior.
(4) if user u to be detected has n period, final exception of the user in different time period ts to be detected Score is expressed as vector H=(ht)1×(n-k), k < t≤n.[k, n] is period section to be detected.
(5) by the abnormal score of the difference time period ts to be detected finally merged, i.e. every in H for user u to be detected One-dimensional element, compared with the threshold value of setting, if more than threshold value then the system determine the user u in time period t abnormal behavior, And export the exception detected, i.e. inside threat.The period exception score distributed area to be detected that pre-set threshold is 80% Between the upper limit.For example, 80% period exception score distributed area to be detected is [0,0.85], then given threshold is 0.85, I.e. abnormal to be detected period of the score greater than 0.85 is abnormal.
(6) user all in database is carried out abnormality detection by information fusion, and export detect it is all It is abnormal.Since inside threat detects while considering two aspects of personal user's behavior and user group behavior, the system is improved The accuracy rate of detection reduces the rate of false alarm of system detection.
Above embodiments are provided just for the sake of the description purpose of the present invention, and are not intended to limit the scope of the invention.This The range of invention is defined by the following claims.Do not depart from spirit and principles of the present invention and the various equivalent replacements made and Modification, should all cover within the scope of the present invention.

Claims (7)

1. a kind of inside threat detection system based on dynamic web browsing behavior, it is characterised in that: the system comprises: data Collection part and abnormality detection part, data collection section include: in tissue or enterprise subscriber's main station web-browsing data adopt Collect module, data prediction and memory module;The user browsing behavior data that the analysis of abnormality detection part is collected;Abnormity detection portion Dividing includes: personal user's abnormal behavior detection module, user group abnormal behavior detection module, information Fusion Module, inside threat Testing result output module, in which:
Web browsing data acquisition module: deployment audit section on hosts that need to monitor in tissue or enterprise, important persons Point acquires the online resource accessed by browser or system for acquiring the web-browsing data of host;
Data prediction and memory module: server is sent to by the web-browsing initial data of audit node acquisition, and will be counted According to storage into the database of server, the redundant data and data field due to initial data comprising recurring audit are incomplete Deficiency of data needs to be filtered data, extracts effective data, and the valid data after pretreatment are deposited again It stores up in database, so that abnormality detection carries out data analysis;
Personal user's abnormal behavior detection module: in tissue or enterprises, the task and hobby of user with The variation of time is that dynamic changes, and by extracting personal web-browsing data from the database of server, is built using power distribution Vertical personal user's normally performed activity changes model, and the scale evaluation of power distribution is deviateed according to the change of personal user's browsing behavior The intensity of anomaly of people's user behavior, i.e., abnormal score;
User group abnormal behavior detection module: appoint due to executing similar work in tissue or the same user group of enterprises Business or identical project, so that the change of behavior or the behavior of the other users in personal user and the user group has opposite one Cause property, therefore according to the departure degree of other users behavior in user browsing behavior and user group assessment user in user group behavior In intensity of anomaly, i.e., abnormal score;The module is established customer relationship network in tissue or enterprise and is gathered using figure simultaneously Class method realizes the automatic extraction of user group relationship, reduces the workload of artificial mark user group;
Information Fusion Module: the behavior of tissue or enterprise's industrial customers had both had personal dynamic changeability or had had user group Behavior relative uniformity merges personal user's behavior and user group behavior using the linear model of weight, by combining personal use The intensity of anomaly of family behavior and the intensity of anomaly of user group behavior comprehensively consider the exception of user behavior, can be improved detection Accuracy rate and the rate of false alarm for reducing detection, the abnormal score finally merged;
Inside threat testing result output module, threshold determination and output for the abnormal score finally merged, by setting The inside threat detected.
2. a kind of inside threat detection system based on dynamic web browsing behavior according to claim 1, feature exist In: the web browsing data acquisition module realizes that steps are as follows:
(1) deployment audit node on hosts that need to monitor in tissue or enterprise, important persons;
(2) audit node acquires the online resource or system that user on the host is accessed by browser, the data of audit in real time Field includes access time and domain name;
(3) it sends server in real time by the web-browsing initial data of audit.
3. a kind of inside threat detection system based on dynamic web browsing behavior according to claim 1, feature exist In: the data prediction and memory module realize that steps are as follows:
(1) the web-browsing initial data that node is sent in real time that will audit is stored into the database of server;
(2) since audit node may repeatedly send same browsing data, duplicate redundant data is filtered, For the browsing data of identical access time point, only retains data record, delete remaining data record;
(3) deficiency of data of domain name field missing in initial data is deleted;
(4) according to time sequence by the browsing data of each user;
(5) valid data after sequence are stored again in database, so that abnormality detection carries out data analysis.
4. a kind of inside threat detection system based on dynamic web browsing behavior according to claim 1, feature exist In: personal user's abnormal behavior detection module realizes that steps are as follows:
(1) from the web-browsing data after the pretreatment for extracting personal user to be analyzed in database;
(2) presetting one day is a period, temporally by the domain name field in the browsing data of the user all periods Successively number, different domain names correspond to different numbers;
(3) due to the change of task and interest, user can browse new domain name daily, and new domain name refers to that the period compares In period emerging domain name before, the domain name change profile for modeling user's normal browsing is distributed using power, i.e., it is new The relation function of domain name and time;
(4) the browsing time section for setting user is indicated with t, uses the domain name of preceding k period, i.e. 1≤t≤k period domain Name, by least square fitting power distribution function, study obtains the parameter of function;
(5) for time period t to be detected, t > k compares the journey of the domain name number deviation power distribution of t period user browsing Degree changes exception to assess the user behavior;
(6) personal user's abnormal behavior degree of the different time period ts to be detected of personal user's abnormal behavior detection module output.
5. a kind of inside threat detection system based on dynamic web browsing behavior according to claim 1, feature exist In: the user group abnormal behavior detection module realizes that steps are as follows:
(1) the web-browsing data of all users after extracting pretreatment in database;
(2) bipartite graph is constructed using the domain name of k period browsing before all users, the vertex of bipartite graph is all users and clear The domain name look at, the side of bipartite graph are connected to a user and a domain name, and the weight on side is the number that user browses domain name;
(3) indicate that bipartite graph, the element of matrix are the frequency that a user browses a domain name using adjacency matrix;
(4) the distance between user and user are calculated according to adjacency matrix;
(5) similarity converted the distance between user and user between user and user;
(6) customer relationship network in tissue or enterprise is constructed, the vertex of network is all users, and the side of network is connected to two User, similarity of the weight between user and user on side;
(7) the user group relationship in tissue or enterprise is found automatically using figure clustering algorithm, reduce artificial mark user group Workload;
(8) similar task or identical project are executed in tissue or the same user group of enterprises, so that personal The change of behavior or the behavior of user and the other users in the user group has opposite consistency, uses k before all users The domain name of a period browsing, by comparing the domain of other users browsing in the domain name and affiliated user group of user browsing The difference of name, to quantify the normally performed activity consistency of the user and user group;
(9) for time period t to be detected, t > k compares its in the domain name and affiliated user group of t period user browsing The difference of the domain name of his user's browsing;
(10) difference of the difference of time period t period domain name more to be detected and preceding k period domain name, by the t period The departure degree of difference assesses intensity of anomaly of the user in user group behavior;
(11) the user behavior intensity of anomaly of the different time period ts to be detected of user group abnormal behavior detection module output.
6. a kind of inside threat detection system based on dynamic web browsing behavior according to claim 1, feature exist In: the information Fusion Module realizes that steps are as follows:
(1) for user u to be detected, by the difference time to be detected of the user of personal user's abnormal behavior detection module output Personal user's abnormal behavior Score Normalization of section t;
(2) for user u to be detected, by the difference period to be detected of the user of user group abnormal behavior detection module output The user behavior exception Score Normalization of t;
(3) due to organizing or looking forward to the behavior of industrial customers both there is personal dynamic changeability or there is the behavior phase of user group To consistency, therefore utilize the abnormal score and user group of personal user's behavior after the fusion normalization of the linear model of weight The abnormal score of behavior, to comprehensively consider the exception of user behavior;
(4) for user u to be detected, by the abnormal score and the threshold value phase of setting of the difference time period t to be detected finally merged Compare, if more than threshold value, then the system determines that the user u in time period t abnormal behavior, and exports the exception detected, i.e., in Portion threatens.
7. a kind of inside threat detection method based on dynamic web browsing behavior characterized by comprising data collection section With abnormality detection part, data collection section include: the acquisition step of subscriber's main station web-browsing data in tissue or enterprise, Data prediction and storing step;The user browsing behavior data that the analysis of abnormality detection part is collected;Abnormity detection portion is divided Personal user's abnormal behavior detecting step, user group abnormal behavior detecting step, information fusion steps, inside threat testing result Export step, in which:
Web browsing data collection steps: deployment audit section on hosts that need to monitor in tissue or enterprise, important persons Point acquires the online resource accessed by browser or system for acquiring the web-browsing data of host;
Data prediction and storing step: server is sent to by the web-browsing initial data of audit node acquisition, and will be counted According to storage into the database of server, the redundant data and data field due to initial data comprising recurring audit are incomplete Deficiency of data needs to be filtered data, extracts effective data, and the valid data after pretreatment are deposited again It stores up in database, so that abnormality detection carries out data analysis;
Personal user's abnormal behavior detecting step: in tissue or enterprises, the task and hobby of user with The variation of time is that dynamic changes, and by extracting personal web-browsing data from the database of server, is built using power distribution Vertical personal user's normally performed activity changes model, and the scale evaluation of power distribution is deviateed according to the change of personal user's browsing behavior The intensity of anomaly of people's user behavior, i.e., abnormal score;
User group abnormal behavior detecting step: appoint due to executing similar work in tissue or the same user group of enterprises Business or identical project, so that the change of behavior or the behavior of the other users in personal user and the user group has opposite one Cause property, therefore according to the departure degree of other users behavior in user browsing behavior and user group assessment user in user group behavior In intensity of anomaly, i.e., abnormal score;The module is established customer relationship network in tissue or enterprise and is gathered using figure simultaneously Class method realizes the automatic extraction of user group relationship, reduces the workload of artificial mark user group;
Information fusion steps: the behavior due to organizing or looking forward to industrial customers had both had personal dynamic changeability or had had user The behavior relative uniformity of group, therefore utilize the fusion personal user's behavior of the linear model of weight and user group behavior;Pass through knot The intensity of anomaly of the intensity of anomaly and user group behavior that close personal user's behavior comprehensively considers the exception of user behavior, Neng Gouti The accuracy rate of high detection and the rate of false alarm for reducing detection, the abnormal score finally merged;
Inside threat testing result exports step, threshold determination and output for the abnormal score finally merged, by setting The inside threat detected.
CN201910384493.6A 2019-05-09 2019-05-09 Internal threat detection system and method based on dynamic web browsing behavior Active CN110138763B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910384493.6A CN110138763B (en) 2019-05-09 2019-05-09 Internal threat detection system and method based on dynamic web browsing behavior

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910384493.6A CN110138763B (en) 2019-05-09 2019-05-09 Internal threat detection system and method based on dynamic web browsing behavior

Publications (2)

Publication Number Publication Date
CN110138763A true CN110138763A (en) 2019-08-16
CN110138763B CN110138763B (en) 2020-12-11

Family

ID=67576843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910384493.6A Active CN110138763B (en) 2019-05-09 2019-05-09 Internal threat detection system and method based on dynamic web browsing behavior

Country Status (1)

Country Link
CN (1) CN110138763B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493264A (en) * 2019-09-18 2019-11-22 北京工业大学 It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain
CN111131314A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111177714A (en) * 2019-12-19 2020-05-19 未鲲(上海)科技服务有限公司 Abnormal behavior detection method and device, computer equipment and storage medium
CN111865941A (en) * 2020-07-03 2020-10-30 北京天空卫士网络安全技术有限公司 Abnormal behavior identification method and device
WO2021077642A1 (en) * 2019-10-24 2021-04-29 中国科学院信息工程研究所 Network space security threat detection method and system based on heterogeneous graph embedding
CN114826712A (en) * 2022-04-15 2022-07-29 中国农业银行股份有限公司 Malicious domain name detection method and device and electronic equipment
CN117668844A (en) * 2024-01-30 2024-03-08 浙江御安信息技术有限公司 Threat file detection system based on information security

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160261621A1 (en) * 2015-03-02 2016-09-08 Verizon Patent And Licensing Inc. Network threat detection and management system based on user behavior information
US20170230391A1 (en) * 2016-02-09 2017-08-10 Darktrace Limited Cyber security
CN107579956A (en) * 2017-08-07 2018-01-12 北京奇安信科技有限公司 The detection method and device of a kind of user behavior
CN107846389A (en) * 2016-09-21 2018-03-27 中国科学院信息工程研究所 Inside threat detection method and system based on the subjective and objective data fusion of user
CN108063776A (en) * 2018-02-26 2018-05-22 重庆邮电大学 Inside threat detection method based on cross-domain behavioural analysis
US20180219890A1 (en) * 2017-02-01 2018-08-02 Cisco Technology, Inc. Identifying a security threat to a web-based resource
CN108388969A (en) * 2018-03-21 2018-08-10 北京理工大学 Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect
CN108616545A (en) * 2018-06-26 2018-10-02 中国科学院信息工程研究所 A kind of detection method, system and electronic equipment that network internal threatens
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
US20180359270A1 (en) * 2017-06-12 2018-12-13 International Business Machines Corporation Clustering for Detection of Anomalous Behavior and Insider Threat
US20180375883A1 (en) * 2017-06-21 2018-12-27 Symantec Corporation Automatically detecting insider threats using user collaboration patterns
CN109120592A (en) * 2018-07-09 2019-01-01 四川大学 A kind of Web abnormality detection system based on user behavior
US20190028504A1 (en) * 2017-07-18 2019-01-24 Imperva, Inc. Insider threat detection utilizing user group data object access analysis
US20190044963A1 (en) * 2017-08-02 2019-02-07 Code 42 Software, Inc. User behavior analytics for insider threat detection
CN109636688A (en) * 2018-12-11 2019-04-16 武汉文都创新教育研究院(有限合伙) A kind of students ' behavior analysis system based on big data

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160261621A1 (en) * 2015-03-02 2016-09-08 Verizon Patent And Licensing Inc. Network threat detection and management system based on user behavior information
US20170230391A1 (en) * 2016-02-09 2017-08-10 Darktrace Limited Cyber security
CN107846389A (en) * 2016-09-21 2018-03-27 中国科学院信息工程研究所 Inside threat detection method and system based on the subjective and objective data fusion of user
US20180219890A1 (en) * 2017-02-01 2018-08-02 Cisco Technology, Inc. Identifying a security threat to a web-based resource
US20180359270A1 (en) * 2017-06-12 2018-12-13 International Business Machines Corporation Clustering for Detection of Anomalous Behavior and Insider Threat
US20180375883A1 (en) * 2017-06-21 2018-12-27 Symantec Corporation Automatically detecting insider threats using user collaboration patterns
US20190028504A1 (en) * 2017-07-18 2019-01-24 Imperva, Inc. Insider threat detection utilizing user group data object access analysis
US20190044963A1 (en) * 2017-08-02 2019-02-07 Code 42 Software, Inc. User behavior analytics for insider threat detection
CN107579956A (en) * 2017-08-07 2018-01-12 北京奇安信科技有限公司 The detection method and device of a kind of user behavior
CN108063776A (en) * 2018-02-26 2018-05-22 重庆邮电大学 Inside threat detection method based on cross-domain behavioural analysis
CN108388969A (en) * 2018-03-21 2018-08-10 北京理工大学 Inside threat personage's Risk Forecast Method based on personal behavior temporal aspect
CN108881194A (en) * 2018-06-07 2018-11-23 郑州信大先进技术研究院 Enterprises user anomaly detection method and device
CN108616545A (en) * 2018-06-26 2018-10-02 中国科学院信息工程研究所 A kind of detection method, system and electronic equipment that network internal threatens
CN109120592A (en) * 2018-07-09 2019-01-01 四川大学 A kind of Web abnormality detection system based on user behavior
CN109636688A (en) * 2018-12-11 2019-04-16 武汉文都创新教育研究院(有限合伙) A kind of students ' behavior analysis system based on big data

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
杨秀璋等: "《Python 网络数据爬取及分析从入门到精通 分析篇》", 30 June 2018, 北京航空航天大学出版社 *
米雪等: "基于网页浏览行为的分析", 《上海理工大学学报》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493264A (en) * 2019-09-18 2019-11-22 北京工业大学 It is a kind of that method is found based on the inside threat of Intranet entity relationship and behavioral chain
CN110493264B (en) * 2019-09-18 2021-12-24 北京工业大学 Internal threat discovery method based on internal network entity relationship and behavior chain
WO2021077642A1 (en) * 2019-10-24 2021-04-29 中国科学院信息工程研究所 Network space security threat detection method and system based on heterogeneous graph embedding
CN111177714A (en) * 2019-12-19 2020-05-19 未鲲(上海)科技服务有限公司 Abnormal behavior detection method and device, computer equipment and storage medium
CN111177714B (en) * 2019-12-19 2022-07-08 未鲲(上海)科技服务有限公司 Abnormal behavior detection method and device, computer equipment and storage medium
CN111131314A (en) * 2019-12-31 2020-05-08 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111131314B (en) * 2019-12-31 2022-04-12 奇安信科技集团股份有限公司 Network behavior detection method and device, computer equipment and storage medium
CN111865941A (en) * 2020-07-03 2020-10-30 北京天空卫士网络安全技术有限公司 Abnormal behavior identification method and device
CN114826712A (en) * 2022-04-15 2022-07-29 中国农业银行股份有限公司 Malicious domain name detection method and device and electronic equipment
CN114826712B (en) * 2022-04-15 2024-06-14 中国农业银行股份有限公司 Malicious domain name detection method and device and electronic equipment
CN117668844A (en) * 2024-01-30 2024-03-08 浙江御安信息技术有限公司 Threat file detection system based on information security
CN117668844B (en) * 2024-01-30 2024-05-28 浙江御安信息技术有限公司 Threat file detection system based on information security

Also Published As

Publication number Publication date
CN110138763B (en) 2020-12-11

Similar Documents

Publication Publication Date Title
CN110138763A (en) A kind of inside threat detection system and method based on dynamic web browsing behavior
Wang et al. Deep structure learning for fraud detection
Lichodzijewski et al. Host-based intrusion detection using self-organizing maps
CN110351307A (en) Abnormal user detection method and system based on integrated study
Mazzawi et al. Anomaly detection in large databases using behavioral patterning
Koutsouvelis et al. Detection of insider threats using artificial intelligence and visualisation
Elovici et al. Using data mining techniques for detecting terror-related activities on the web
Anderson et al. The use of information retrieval techniques for intrusion detection
WO2019220363A1 (en) Creation and verification of behavioral baselines for the detection of cybersecurity anomalies using machine learning techniques
Oh et al. Advanced insider threat detection model to apply periodic work atmosphere
Lv et al. Towards a user and role-based behavior analysis method for insider threat detection
Camiña et al. Towards building a masquerade detection method based on user file system navigation
Phua et al. On the communal analysis suspicion scoring for identity crime in streaming credit applications
Chimphlee et al. A rough-fuzzy hybrid algorithm for computer intrusion detection
Yang et al. [Retracted] Computer User Behavior Anomaly Detection Based on K‐Means Algorithm
Zhu et al. Bs-net: A behavior sequence network for insider threat detection
Qi et al. Privacy preserving via interval covering based subclass division and manifold learning based bi-directional obfuscation for effort estimation
Grushka-Cohen et al. Sampling high throughput data for anomaly detection of data-base activity
Shin et al. An alert data mining framework for network-based intrusion detection system
Yue et al. An unsupervised-learning based method for detecting groups of malicious Web crawlers in Internet
Ahmad et al. Hybrid intrusion detection method to increase anomaly detection by using data mining techniques
Phua et al. On the approximate communal fraud scoring of credit applications
Adeyiga et al. Profiling Internet Users’ Activities using Fuzzy C-Means Algorithm
Caruso et al. A data mining methodology for anomaly detection in network data
Tinguriya et al. Detecting terror-related activities on the web using neural network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant