CN111797978A - Internal threat detection method and device, electronic equipment and storage medium - Google Patents

Internal threat detection method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN111797978A
CN111797978A CN202010654359.6A CN202010654359A CN111797978A CN 111797978 A CN111797978 A CN 111797978A CN 202010654359 A CN202010654359 A CN 202010654359A CN 111797978 A CN111797978 A CN 111797978A
Authority
CN
China
Prior art keywords
output vector
detection model
detection
vector
detection result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010654359.6A
Other languages
Chinese (zh)
Inventor
黄娜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202010654359.6A priority Critical patent/CN111797978A/en
Publication of CN111797978A publication Critical patent/CN111797978A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/045Combinations of networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/047Probabilistic or stochastic networks
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • G06N3/049Temporal neural networks, e.g. delay elements, oscillating neurons or pulsed inputs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Abstract

The application provides an internal threat detection method, an internal threat detection device, electronic equipment and a storage medium. The method comprises the following steps: acquiring a plurality of pieces of user log data of a user terminal to be detected, and performing feature extraction on the user log data to obtain corresponding feature vectors; inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; the detection model is formed by a long-term and short-term memory artificial neural network comprising an attention mechanism; and the detection result is used for representing whether the user to be detected has the internal threat behavior. According to the embodiment of the application, the user log data are analyzed through the detection model formed by the neural network comprising the attention mechanism, so that whether the user has an internal threat behavior or not is judged, and the neural network comprising the attention mechanism can distribute the weight through the attention mechanism, so that the model can acquire useful information, and the detection accuracy is improved.

Description

Internal threat detection method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and an apparatus for detecting an internal threat, an electronic device, and a storage medium.
Background
The internal threat is an action initiated by internal personnel or internal personnel disguised by an external attacker and forming a security hazard to enterprises or organizations, and the summary comprises the following three types: system or data corruption, data theft, resource abuse. Since the internal personnel have legal authority and convenient job, the initiated malicious behavior often causes more loss than external attack, and the internal threat is a security problem which should be taken into account for financial institutions and the like.
The data source for internal threat detection is a series of behavioral logs for the user. In the prior art, internal threat detection can be performed through a Long Short-Term Memory artificial neural network (LSTM), but the problem of low detection accuracy rate exists when the LSTM network is used due to the fact that user log data are various.
Disclosure of Invention
An object of the embodiments of the present application is to provide an internal threat detection method, an internal threat detection device, an electronic apparatus, and a storage medium, so as to improve accuracy of internal threat detection.
In a first aspect, an embodiment of the present application provides an internal threat detection method, including: acquiring a plurality of pieces of user log data of a user terminal to be detected, and performing feature extraction on the user log data to obtain corresponding feature vectors; inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; the detection model is composed of a neural network comprising an attention mechanism module, and the attention mechanism module is used for carrying out weight distribution on an intermediate output vector in the neural network; and the detection result is used for representing whether the user to be detected has the internal threat behavior.
According to the embodiment of the application, the user log data are analyzed through the detection model formed by the neural network comprising the attention mechanism, so that whether the user has an internal threat behavior or not is judged, and the neural network comprising the attention mechanism can distribute the weight through the attention mechanism, so that the model can acquire useful information, and the detection accuracy is improved.
Further, the inputting the feature vector into a pre-constructed detection model to obtain a detection result output by the detection model includes: processing the feature vector by using an encoder of the detection model to obtain a first output vector; distributing attention weight to the first output vector through an attention mechanism in the detection model, and obtaining a corresponding second output vector according to the attention weight and the first output vector as input of a decoder of the detection model; decoding the second output vector through a decoder in the detection model to obtain a third output vector which is used as the input of a full connection layer of the detection model; processing the third output vector by using a full connection layer in the detection model to obtain a fourth output vector which is used as the input of a linear regression layer of the detection model; and performing linear regression operation on the fourth output vector by using a linear regression layer in the detection model to obtain the detection result.
According to the embodiment of the application, the weight is distributed to the output of the encoder through the attention mechanism, the output of the encoder is multiplied by the corresponding weight and then is input to the decoder, so that the model identifies and pays attention to high-value information from the input characteristics, the problem of distraction when facing a long sequence is solved, and the detection accuracy is improved.
Further, said obtaining a corresponding second output vector according to the attention weight and the first output vector comprises: according to the formula
Figure BDA0002574758780000021
Calculating to obtain the second output vector; wherein, CjIs the jth element value in the second output vector; m is the total number of elements in the first output vector; h isiIs the ith element value in the first output vector; a isiIs the ith attention weight; n is the total number of attention weights.
According to the embodiment of the application, the output of the encoder is optimized through the weight distributed by the attention mechanism, and the optimized output is input into the decoder again, so that the model can pay attention to high-value information in the input feature vector, and the detection accuracy is improved.
Further, the attention weight is obtained by: obtaining a plurality of training samples, wherein the training samples comprise training log data and a label detection result; inputting the training sample into a detection model to be trained to obtain a corresponding prediction detection result; wherein, the attention weight in the attention mechanism in the detection model to be trained is an initial weight; and optimizing the attention weight according to the labeling detection result and the prediction detection result to obtain the optimized attention weight.
Further, the processing, by the full link layer, the third output vector to obtain a fourth output vector includes: according to the formula ft=tanh(wpyj)+bpCalculating to obtain the fourth output vector; wherein f istThe fourth output vector corresponding to the time t; w is apThe p-th weight of the fully connected layer; y isjIs the jth element value in the third output vector; bpIs an offset.
Further, the performing, by the linear regression layer, a linear regression operation on the fourth output vector to obtain the detection result includes: according to formula Yt=θTft+ calculating to obtain the detection result; wherein, YtIs a detection result corresponding to the time t; theta is the weight corresponding to the linear regression; f. oftThe fourth output vector corresponding to the time t; is the offset corresponding to linear regression.
Further, the extracting the features of the user log data to obtain corresponding feature vectors includes: carrying out one-hot encoding on the user log data to obtain one-hot encoding matrix; and converting the one-hot coding matrix by using a pre-trained continuous bag-of-words model to obtain the characteristic vector.
In a second aspect, an embodiment of the present application provides an internal threat detection apparatus, including: the data acquisition module is used for acquiring a plurality of pieces of user log data of the user terminal to be detected, and respectively extracting the characteristics of each piece of user log data to obtain corresponding characteristic vectors; the detection module is used for inputting the feature vector into a detection model which is constructed in advance to obtain a detection result output by the detection model; the detection model comprises a neural network structure of an attention mechanism, and the attention mechanism module is used for carrying out weight distribution on intermediate output vectors in the neural network; and the detection result is used for representing whether the user terminal to be detected has internal threat.
In a third aspect, an embodiment of the present application provides an electronic device, including: the system comprises a processor, a memory and a bus, wherein the processor and the memory are communicated with each other through the bus; the memory stores program instructions executable by the processor, the processor being capable of performing the method of the first aspect when invoked by the program instructions.
In a fourth aspect, an embodiment of the present application provides a non-transitory computer-readable storage medium, including: the non-transitory computer readable storage medium stores computer instructions that cause the computer to perform the method of the first aspect.
Additional features and advantages of the present application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the present application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic structural diagram of a detection model according to an embodiment of the present disclosure;
FIG. 2 is a schematic flow chart illustrating a model training method according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram illustrating classification of user internal behavior data according to an embodiment of the present application;
fig. 4 is a schematic flow chart of an internal threat detection method according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a method for extracting features from raw log data according to an embodiment of the present disclosure;
FIG. 6 is a schematic structural diagram of an internal threat detection apparatus according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
In order to improve the accuracy of internal threat detection, embodiments of the present application provide an internal threat detection method, which is capable of extracting more valuable information from feature vectors corresponding to input user log data by using a detection model formed by a neural network including an attention mechanism, thereby improving the accuracy of internal threat detection.
Before introducing the internal threat detection method, an embodiment of the present application provides a detection model, as shown in fig. 1, which includes an Encoder (Encoder)101, a Decoder (Decoder)102, an Attention (Attention) mechanism module 105, a full connection layer 103, and a linear regression layer 104. The encoder and the decoder adopt an LSTM network structure, and are respectively designed to have 3 layers, it can be understood that the encoder 101 and the decoder 102 may not only be set to have 3 layers, but also may adjust the number of layers according to actual situations, and this is not specifically limited in this embodiment of the present application. The structure of the detection model is as follows: the encoder 10 formed by three layers of LSTM network connection is connected, the output of the encoder 101 passes through the attention mechanism module 105 and then is input into the decoder formed by three layers of LSTM network connectionIn the decoder 102, a full link layer 103 and a linear regression layer 104 are connected to the rear of the decoder 102. Wherein the encoder 101 inputs a feature vector x1,x2,...xt-1]For encoding, the decoder 102 may learn the key information selected by the encoder 101 and the attention mechanism module 105 as an intermediate output vector of the detection model.
It is understood that the structure of the detection model is only an example, and in practical applications, the detection model may be modified, for example: the number of layers of the encoder and the decoder, etc. can be adjusted and are within the scope of the present application.
Based on the detection model, the embodiment of the application provides a model training method, as shown in fig. 2. It can be understood that the model training method and the internal threat detection method provided by the embodiment of the present application may be applied to a terminal device (also referred to as an electronic device) and a server; the terminal device may be a smart phone, a tablet computer, a Personal Digital Assistant (PDA), or the like; the server may specifically be an application server, and may also be a Web server. In addition, both the model training method and the internal threat detection method can be executed by the same terminal device, and can also be executed by different terminal devices.
For convenience of understanding, in the technical solution provided in the embodiment of the present application, an application scenario of the model training method and the prediction method provided in the embodiment of the present application is described below by taking a terminal device as an execution subject. The training method comprises the following steps:
step 201: acquiring training log data; the training log data may be obtained by deploying an audit node on the user computer and collecting access data of the user on the user terminal. It can be understood that historical access data of different user terminals may be collected, and historical access data of the same user terminal may also be collected, which is not specifically limited in this embodiment of the present application. And log data for a plurality of cycles may be obtained, the log data for each cycle being used as a set of training data to train the model. The collected training log data may include 13 types of fine-grained user behaviors, i.e., system access (login, logout), file access (read, write, copy, delete), peripheral connection (connect, disconnect), network access (access, upload, download), mail reception (receive, send), and so on. It is understood that, in a specific implementation process, more or less user behaviors than those listed above may be selected, and the selection may be performed according to actual needs, and the type of log data is not particularly limited in the embodiments of the present application. Fig. 3 is a schematic diagram illustrating classification of user internal behavior data according to an embodiment of the present application, as shown in fig. 3.
Step 202: extracting characteristics; because the obtained original training log data is in a text format, the method of word vector can be adopted to extract features from the training log data to obtain a feature vector [ x [ ]1,x2,...xm]Each element in the feature vector represents a feature corresponding to one time point, and the feature vector here may be a set of training data, that is, the feature vector of the previous m time points. The label corresponding to the feature vector is whether the internal threat occurs at the m +1 time point.
Step 203: training a model; and inputting the characteristic vector corresponding to the training log data into the detection model to be trained to obtain a prediction result output by the detection model to be trained. Calculating a loss function according to the prediction result and the label, wherein the loss function of the model can adopt Mean Square Error (MSE), and the calculation formula is shown as formula (1):
Figure BDA0002574758780000071
wherein, YtlOutputting a prediction result of the l-th dimension for the detection model to be trained;
Figure BDA0002574758780000072
labels corresponding to the input l-dimension feature vectors; l is YtlIs in the dimension of (1, L)]。
And reversely optimizing parameters in the model to be trained according to the loss value obtained by calculation until the detection model meeting the requirements is obtained.
It will be appreciated that the weights assigned to the output of each encoder by the attention mechanism in the detection model are also obtained during the training process of the detection model, and the final weights are obtained as follows:
first, assuming the vector dimension of the encoder output is m, the weights are initialized
Figure BDA0002574758780000073
It will be understood that aiFor m-dimensional vectors, the degree of match between the output of the encoder and the input of the decoder is calculated, see equation (2):
ei,j=vTtanh(w1hi+w2Cj) (2)
wherein e isi,jIs the matching degree; v, w1And w2Detecting parameters in the model; h isiIs the output of the encoder; cjIs the input of the decoder; i and j are positive integers, and the value range of i is [1, m]And the value of m is the dimension of the encoder output. The value range of j is [1, n ]]And the value of n is the dimension of the decoder input.
Then, the weights are obtained through the softmax function normalization operation, as shown in formula (3):
Figure BDA0002574758780000081
wherein, aiIs a weight; e.g. of the typek,jIs the degree of match XX between the kth output of the encoder and the jth input of the decoder; e.g. of the typei,jIs the degree of match between the ith output of the encoder and the jth input of the decoder, where k ≦ i.
According to the embodiment of the application, the detection model with the attention mechanism is added, so that high-value information can be extracted from the input feature vector, and the accuracy of prediction of the internal threat behaviors is improved.
Fig. 4 is a schematic flow chart of an internal threat detection method provided in an embodiment of the present application, and as shown in fig. 4, the method includes:
step 401: acquiring a plurality of pieces of user log data of a user terminal to be detected, and respectively extracting the characteristics of each piece of user log data to obtain corresponding characteristic vectors;
step 402: inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; wherein the detection model is composed of a neural network including an attention mechanism; and the detection result is used for representing whether the user terminal to be detected has internal threat.
In step 401, a plurality of pieces of user log data may be generated by the user terminal to be detected in a preset historical time period. For example: may be a distance before the current time t. The embodiment of the application aims to predict whether an internal threat behavior occurs in the user terminal at the t-th moment by using historical behavior data of a user, so that timely intervention can be performed.
Because the acquired user log data is in a text format, in order to facilitate the identification and analysis of the detection model, the terminal device performs feature extraction on the user log data after acquiring the user log data, and specifically, the feature extraction can be performed by adopting a word vector method. Of course, other methods of feature extraction may also be employed, such as: word frequency method.
In step 402, the terminal device inputs the obtained feature vector into a pre-constructed detection model, where the construction and training of the detection model may refer to the above embodiments, and details are not described here. The detection model analyzes the input feature vector, outputs the probability of the internal threat behavior at the next moment, can set a threshold, predicts that the behavior of the user at the next moment is abnormal if the probability exceeds the threshold, and otherwise, the behavior is normal.
According to the embodiment of the application, the user log data are analyzed through the detection model formed by the neural network comprising the attention mechanism, so that whether the internal threat exists in the user terminal is judged, and the neural network comprising the attention mechanism can distribute the weight through the attention mechanism, so that the model can acquire useful information, and the detection accuracy is improved.
On the basis of the above embodiment, the inputting the feature vector into a pre-constructed detection model to obtain a detection result output by the detection model includes:
and the encoder of the detection model processes the characteristic vector to obtain a first output vector.
It can be understood that, taking the detection model provided in fig. 1 as an example, the feature vector input to the detection model is processed by the three-layer encoder to obtain a first output vector. It will be appreciated that the feature vector may be x1,x2,...xm]In the feature vector, xiOutput of h after passing through the first layer of the encoder1,iAnd then output as h after passing through the second layer of the encoder2,iAnd then output as h after passing through the third layer of the encoder3,iI takes on a value of 1, 2. The first output vector can thus be represented as h3,1,h3,2,...h3,m]。
And the attention mechanism in the detection model allocates attention weight to the first output vector, and obtains a corresponding second output vector as the input of a decoder of the detection model according to the attention weight and the first output vector.
In a specific implementation, the second output vector may be obtained by calculating according to formula (4):
Figure BDA0002574758780000091
wherein, CjJ is the jth element input into the decoder, and the value of j is 1, 2.. multidot.n; m is the dimension of the first output vector; h isiFor the ith element value in the first output vector, it can also be understood as h output from the detection model decoder in fig. 13,i;aiIs the attention weight of the ith input to the decoder, and aiIs a vector of m dimensions; n is the total number of attention weights.
The role of the Attention mechanism is to select from the output of Encoder useful for learning the targetWherein a isiAre obtained in advance during model training.
And a decoder in the detection model decodes the second output vector to obtain a third output vector which is used as the input of the full-link layer of the detection model.
In a specific implementation process, after obtaining the second output vector, the second output vector is input into a decoder for decoding, still taking the detection model provided in fig. 1 as an example, after the second output vector is input into the decoder, the second output vector is processed through the first layer of the decoder to obtain an output h4,jAnd then output as h after passing through the second layer of the encoder5,jAnd then output as h after passing through the third layer of the encoder6,jJ takes the value 1, 2.. n. The first output vector can thus be represented as h6,1,h6,2,...h6,n]。
And processing the third output vector by a full connection layer in the detection model to obtain a fourth output vector which is used as the input of a linear regression layer of the detection model.
In a specific implementation process, after the third output vector is input into the full-connection layer, the full-connection layer processes the third output vector through formula (5), so as to obtain a fourth output vector:
ft=tanh(wpyj)+bp(5)
wherein f istIs a fourth output vector; t is used for representing t moment and refers to the next moment corresponding to the input vector; w is apThe p-th weight of the fully connected layer; y isjIs the jth element value in the third output vector; bpIs an offset.
And performing linear regression operation on the fourth output vector by a linear regression layer in the detection model to obtain the detection result.
In a specific implementation process, after the fourth output vector is obtained, the fourth output vector is input into the linear regression layer, and the linear regression layer processes the fourth output vector by using a formula (6), so as to obtain a detection result:
Yt=θTft+ (6)
wherein, YtAs a detection result, t is used for representing t moment and refers to the next moment corresponding to the input vector; theta is the weight corresponding to the linear regression; f. oftIs the corresponding fourth output vector; is the offset corresponding to linear regression.
On the basis of the above embodiment, the performing feature extraction on each piece of user log data to obtain a corresponding feature vector includes:
carrying out one-hot encoding on the user log data to obtain one-hot encoding matrix;
and converting the one-hot coding matrix by using a pre-trained continuous bag-of-words model to obtain the characteristic vector.
In a specific implementation process, an embodiment of the present application provides a method for extracting features of acquired original log data, as shown in fig. 5: firstly, carrying out one-hot coding on each user log data to obtain one-hot coding matrix. It will be appreciated that One-Hot encoding, also known as One-Hot encoding, uses an N-bit status register to encode N states, each having its own independent register bit, and only One of which is active at any One time.
Because the obtained one-hot coding matrix has higher dimensionality, a pre-trained Continuous bag of words (CBOW) model can be utilized, wherein the CBOW model is a neural network composed of an input layer, a hidden layer and an output layer; and converting the one-hot coding of one log by using the parameters of the hidden layer in the CBOW model after the training is finished to obtain the characteristic vector.
Fig. 6 is a schematic structural diagram of an internal threat detection apparatus according to an embodiment of the present application, where the apparatus may be a module, a program segment, or code on an electronic device. It should be understood that the apparatus corresponds to the above-mentioned embodiment of the method of fig. 4, and can perform various steps related to the embodiment of the method of fig. 4, and the specific functions of the apparatus can be referred to the description above, and the detailed description is appropriately omitted here to avoid redundancy. The device includes: a data acquisition module 601 and a detection module 602, wherein:
the data acquisition module 601 is configured to acquire multiple pieces of user log data of a user terminal to be detected, and perform feature extraction on each piece of the user log data to acquire a corresponding feature vector; the detection module 602 is configured to input the feature vector into a detection model that is constructed in advance, and obtain a detection result output by the detection model; wherein the detection model comprises an encoder, a decoder, an attention mechanism, a full link layer and a linear regression layer; and the detection result is used for representing whether the user terminal to be detected has internal threat.
In the technology of the foregoing embodiment, the detection module 602 is specifically configured to:
an encoder of the detection model processes the feature vector to obtain a first output vector;
an attention mechanism in the detection model allocates attention weight to the first output vector, and obtains a corresponding second output vector according to the attention weight and the first output vector as input of a decoder of the detection model;
a decoder in the detection model decodes the second output vector to obtain a third output vector which is used as the input of a full connection layer of the detection model;
processing the third output vector by a full connection layer in the detection model to obtain a fourth output vector which is used as the input of a linear regression layer of the detection model;
and performing linear regression operation on the fourth output vector by a linear regression layer in the detection model to obtain the detection result.
On the basis of the foregoing embodiment, the detection module 602 is specifically configured to:
according to the formula
Figure BDA0002574758780000121
Calculating to obtain the second output vector;
wherein, CjIs the jth element value in the second output vector; m is the number oneA total number of elements in an output vector; h isiIs the ith element value in the first output vector; a isiIs the ith attention weight; n is the total number of attention weights.
On the basis of the above embodiment, the attention weight is obtained by:
obtaining a plurality of training samples, wherein the training samples comprise training log data and a label detection result;
inputting the training sample into a detection model to be trained to obtain a corresponding prediction detection result; wherein, the attention weight in the attention mechanism in the detection model to be trained is an initial weight;
and optimizing the attention weight according to the labeling detection result and the prediction detection result to obtain the optimized attention weight.
On the basis of the foregoing embodiment, the detection module 602 is specifically configured to:
according to the formula ft=tanh(wpyj)+bpCalculating to obtain the fourth output vector;
wherein f istThe fourth output vector corresponding to the time t; w is apThe p-th weight of the fully connected layer; y isjIs the jth element value in the third output vector; bpIs an offset.
On the basis of the foregoing embodiment, the detection module 602 is specifically configured to:
according to formula Yt=θTft+ calculating to obtain the detection result;
wherein, YtIs a detection result corresponding to the time t; theta is the weight corresponding to the linear regression; f. oftThe fourth output vector corresponding to the time t; is the offset corresponding to linear regression.
On the basis of the foregoing embodiment, the data obtaining module 601 is specifically configured to:
carrying out one-hot encoding on the user log data to obtain one-hot encoding matrix;
and converting the one-hot coding matrix by using a pre-trained continuous bag-of-words model to obtain the characteristic vector.
Fig. 7 is a schematic structural diagram of an entity of an electronic device provided in an embodiment of the present application, and as shown in fig. 7, the electronic device includes: a processor (processor)701, a memory (memory)702, and a bus 703; wherein the content of the first and second substances,
the processor 701 and the memory 702 complete communication with each other through the bus 703;
the processor 701 is configured to call the program instructions in the memory 702 to execute the methods provided by the above-mentioned method embodiments, for example, including: acquiring a plurality of pieces of user log data of a user terminal to be detected, and performing feature extraction on the user log data to obtain corresponding feature vectors; inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; the detection model is formed by a long-term and short-term memory artificial neural network comprising an attention mechanism module; and the detection result is used for representing whether the user to be detected has the internal threat behavior.
The processor 701 may be an integrated circuit chip having signal processing capabilities. The processor 701 may be a general-purpose processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. Which may implement or perform the various methods, steps, and logic blocks disclosed in the embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The Memory 702 may include, but is not limited to, Random Access Memory (RAM), Read Only Memory (ROM), Programmable Read Only Memory (PROM), Erasable Read Only Memory (EPROM), Electrically Erasable Read Only Memory (EEPROM), and the like.
The present embodiment discloses a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the above-mentioned method embodiments, for example, comprising: acquiring a plurality of pieces of user log data of a user terminal to be detected, and performing feature extraction on the user log data to obtain corresponding feature vectors; inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; the detection model is formed by a long-term and short-term memory artificial neural network comprising an attention mechanism module; and the detection result is used for representing whether the user to be detected has the internal threat behavior.
The present embodiments provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided by the above method embodiments, for example, including: acquiring a plurality of pieces of user log data of a user terminal to be detected, and performing feature extraction on the user log data to obtain corresponding feature vectors; inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; the detection model is formed by a long-term and short-term memory artificial neural network comprising an attention mechanism module; and the detection result is used for representing whether the user to be detected has the internal threat behavior.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.

Claims (10)

1. An internal threat detection method, comprising:
acquiring a plurality of pieces of user log data of a user terminal to be detected, and performing feature extraction on the user log data to obtain corresponding feature vectors;
inputting the characteristic vector into a pre-constructed detection model to obtain a detection result output by the detection model; the detection model is composed of a neural network comprising an attention mechanism module, and the attention mechanism module is used for carrying out weight distribution on an intermediate output vector in the neural network; and the detection result is used for representing whether the user to be detected has the internal threat behavior.
2. The method according to claim 1, wherein the inputting the feature vector into a pre-constructed detection model to obtain a detection result output by the detection model comprises:
processing the feature vector by using an encoder of the detection model to obtain a first output vector;
distributing attention weight to the first output vector through an attention mechanism in the detection model, and obtaining a corresponding second output vector according to the attention weight and the first output vector as input of a decoder of the detection model;
decoding the second output vector through a decoder in the detection model to obtain a third output vector which is used as the input of a full connection layer of the detection model;
processing the third output vector by using a full connection layer in the detection model to obtain a fourth output vector which is used as the input of a linear regression layer of the detection model;
and performing linear regression operation on the fourth output vector by using a linear regression layer in the detection model to obtain the detection result.
3. The method of claim 2, wherein obtaining a corresponding second output vector based on the attention weight and the first output vector comprises:
according to the formula
Figure FDA0002574758770000011
Calculating to obtain the second output vector;
wherein, CjIs the jth element value in the second output vector; m is the total number of elements in the first output vector; h isiIs the ith element value in the first output vector; a isiIs the ith attention weight; n is the total number of attention weights.
4. The method of claim 3, wherein the attention weight is obtained by:
obtaining a plurality of training samples, wherein the training samples comprise training log data and a label detection result;
inputting the training sample into a detection model to be trained to obtain a corresponding prediction detection result; wherein, the attention weight in the attention mechanism in the detection model to be trained is an initial weight;
and optimizing the attention weight according to the labeling detection result and the prediction detection result to obtain the optimized attention weight.
5. The method of claim 2, wherein the fully-connected layer processing the third output vector to obtain a fourth output vector comprises:
according to the formula ft=tanh(wpyj)+bpCalculating to obtain the fourth output vector;
wherein f istThe fourth output vector corresponding to the time t; w is apThe p-th weight of the fully connected layer; y isjIs the jth element value in the third output vector; bpIs an offset.
6. The method of claim 2, wherein the linear regression layer performs a linear regression operation on the fourth output vector to obtain the detection result, and the method comprises:
according to formula Yt=θTft+ calculating to obtain the detection result;
wherein, YtIs a detection result corresponding to the time t; theta is the weight corresponding to the linear regression; f. oftThe fourth output vector corresponding to the time t; is the offset corresponding to linear regression.
7. The method according to any one of claims 1-6, wherein said extracting features from said user log data to obtain corresponding feature vectors comprises:
carrying out one-hot encoding on the user log data to obtain one-hot encoding matrix;
and converting the one-hot coding matrix by using a pre-trained continuous bag-of-words model to obtain the characteristic vector.
8. An internal threat detection apparatus, comprising:
the data acquisition module is used for acquiring a plurality of pieces of user log data of the user terminal to be detected, and extracting the characteristics of the user log data to obtain corresponding characteristic vectors;
the detection module is used for inputting the feature vector into a detection model which is constructed in advance to obtain a detection result output by the detection model; the detection model is composed of a long-term and short-term memory artificial neural network comprising an attention mechanism module, and the attention mechanism module is used for carrying out weight distribution on an intermediate output vector in the neural network; and the detection result is used for representing whether the user to be detected has the internal threat behavior.
9. An electronic device, comprising: a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any one of claims 1-7.
10. A non-transitory computer-readable storage medium storing computer instructions which, when executed by a computer, cause the computer to perform the method of any one of claims 1-7.
CN202010654359.6A 2020-07-08 2020-07-08 Internal threat detection method and device, electronic equipment and storage medium Pending CN111797978A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010654359.6A CN111797978A (en) 2020-07-08 2020-07-08 Internal threat detection method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010654359.6A CN111797978A (en) 2020-07-08 2020-07-08 Internal threat detection method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN111797978A true CN111797978A (en) 2020-10-20

Family

ID=72810434

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010654359.6A Pending CN111797978A (en) 2020-07-08 2020-07-08 Internal threat detection method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111797978A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112328674A (en) * 2020-11-17 2021-02-05 深圳力维智联技术有限公司 Cross-data-format model conversion acceleration method and device
CN112631888A (en) * 2020-12-30 2021-04-09 航天信息股份有限公司 Fault prediction method and device of distributed system, storage medium and electronic equipment
CN113472742A (en) * 2021-05-28 2021-10-01 中国科学院信息工程研究所 Internal threat detection method and device based on gated cyclic unit
CN113612639A (en) * 2021-07-30 2021-11-05 江苏易安联网络技术有限公司 Method and device for analyzing and predicting file downloading behavior based on website access record
CN114401135A (en) * 2022-01-14 2022-04-26 国网河北省电力有限公司电力科学研究院 Internal threat detection method based on LSTM-Attention user and entity behavior analysis technology
CN114553497A (en) * 2022-01-28 2022-05-27 中国科学院信息工程研究所 Internal threat detection method based on feature fusion
CN114598545A (en) * 2022-03-23 2022-06-07 中国科学技术大学 Internal security threat detection method, system, equipment and storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109902862A (en) * 2019-02-13 2019-06-18 北京航空航天大学 A kind of time series forecasting system of time of fusion attention mechanism
US20190197397A1 (en) * 2017-12-27 2019-06-27 Cisco Technology, Inc. Neural network-assisted computer network management
CN110287439A (en) * 2019-06-27 2019-09-27 电子科技大学 A kind of network behavior method for detecting abnormality based on LSTM
CN110555007A (en) * 2019-09-09 2019-12-10 成都西山居互动娱乐科技有限公司 Method and device for judging number stealing behavior, computing equipment and storage medium
CN110691070A (en) * 2019-09-07 2020-01-14 温州医科大学 Network abnormity early warning method based on log analysis
CN110909348A (en) * 2019-09-26 2020-03-24 中国科学院信息工程研究所 Internal threat detection method and device
CN110941827A (en) * 2019-10-25 2020-03-31 北京元心科技有限公司 Application program abnormal behavior detection method and device
CN111209168A (en) * 2020-01-14 2020-05-29 中国人民解放军陆军炮兵防空兵学院郑州校区 Log sequence anomaly detection framework based on nLSTM-self attention
CN111291015A (en) * 2020-04-28 2020-06-16 国网电子商务有限公司 User behavior abnormity detection method and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190197397A1 (en) * 2017-12-27 2019-06-27 Cisco Technology, Inc. Neural network-assisted computer network management
CN109902862A (en) * 2019-02-13 2019-06-18 北京航空航天大学 A kind of time series forecasting system of time of fusion attention mechanism
CN110287439A (en) * 2019-06-27 2019-09-27 电子科技大学 A kind of network behavior method for detecting abnormality based on LSTM
CN110691070A (en) * 2019-09-07 2020-01-14 温州医科大学 Network abnormity early warning method based on log analysis
CN110555007A (en) * 2019-09-09 2019-12-10 成都西山居互动娱乐科技有限公司 Method and device for judging number stealing behavior, computing equipment and storage medium
CN110909348A (en) * 2019-09-26 2020-03-24 中国科学院信息工程研究所 Internal threat detection method and device
CN110941827A (en) * 2019-10-25 2020-03-31 北京元心科技有限公司 Application program abnormal behavior detection method and device
CN111209168A (en) * 2020-01-14 2020-05-29 中国人民解放军陆军炮兵防空兵学院郑州校区 Log sequence anomaly detection framework based on nLSTM-self attention
CN111291015A (en) * 2020-04-28 2020-06-16 国网电子商务有限公司 User behavior abnormity detection method and device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
俞勇: "《人工智能应用 炫酷的AI让你脑洞大开》", 31 August 2019 *
周鸣争 等: "《大数据导论》", 31 March 2018 *
赵立新: "《移动互联网时代的智能硬件安全探析》", 30 June 2019 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112328674A (en) * 2020-11-17 2021-02-05 深圳力维智联技术有限公司 Cross-data-format model conversion acceleration method and device
CN112631888A (en) * 2020-12-30 2021-04-09 航天信息股份有限公司 Fault prediction method and device of distributed system, storage medium and electronic equipment
CN113472742A (en) * 2021-05-28 2021-10-01 中国科学院信息工程研究所 Internal threat detection method and device based on gated cyclic unit
CN113472742B (en) * 2021-05-28 2022-09-27 中国科学院信息工程研究所 Internal threat detection method and device based on gated cyclic unit
CN113612639A (en) * 2021-07-30 2021-11-05 江苏易安联网络技术有限公司 Method and device for analyzing and predicting file downloading behavior based on website access record
CN114401135A (en) * 2022-01-14 2022-04-26 国网河北省电力有限公司电力科学研究院 Internal threat detection method based on LSTM-Attention user and entity behavior analysis technology
CN114553497A (en) * 2022-01-28 2022-05-27 中国科学院信息工程研究所 Internal threat detection method based on feature fusion
CN114553497B (en) * 2022-01-28 2022-11-15 中国科学院信息工程研究所 Internal threat detection method based on feature fusion
CN114598545A (en) * 2022-03-23 2022-06-07 中国科学技术大学 Internal security threat detection method, system, equipment and storage medium
CN114598545B (en) * 2022-03-23 2022-12-30 中国科学技术大学 Internal security threat detection method, system, equipment and storage medium

Similar Documents

Publication Publication Date Title
CN111797978A (en) Internal threat detection method and device, electronic equipment and storage medium
Berman et al. A survey of deep learning methods for cyber security
Frady et al. A theory of sequence indexing and working memory in recurrent neural networks
US11586860B2 (en) Method for preventing the extraction of a machine learning model
US10692218B2 (en) Method and system of detecting image tampering, electronic device and storage medium
Min et al. Network anomaly detection using memory-augmented deep autoencoder
CN108090093B (en) Method and device for generating recommendation result
CN115796173B (en) Data processing method and system for supervising reporting requirements
Akarsh et al. Deep learning framework and visualization for malware classification
CN112863683B (en) Medical record quality control method and device based on artificial intelligence, computer equipment and storage medium
CN110730164B (en) Safety early warning method, related equipment and computer readable storage medium
Ra et al. DeepAnti-PhishNet: Applying deep neural networks for phishing email detection
Dong et al. Multi‐task learning method for classification of multiple power quality disturbances
Ibor et al. Novel adaptive cyberattack prediction model using an enhanced genetic algorithm and deep learning (AdacDeep)
CN112037174A (en) Chromosome abnormality detection method, device, equipment and computer readable storage medium
CN114338129B (en) Message anomaly detection method, device, equipment and medium
CN116776150A (en) Interface abnormal access identification method and device, computer equipment and storage medium
Li et al. Perceptual image hash function via associative memory‐based self‐correcting
CN113822684B (en) Black-birth user identification model training method and device, electronic equipment and storage medium
CN116562952A (en) False transaction order detection method and device
CN112950222A (en) Resource processing abnormity detection method and device, electronic equipment and storage medium
Vrejoiu Neural networks and deep learning in cyber security
CN114640486A (en) Network flow detection method and related equipment
CN110929118A (en) Network data processing method, equipment, device and medium
Li et al. Unsupervised steganalysis over social networks based on multi-reference sub-image sets

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20201020

RJ01 Rejection of invention patent application after publication