内部威胁行为基线建模的建议与改进思路

http://www.zhongfu.net/news/techinfo/1096.html

摘要 本文针对内部威胁的研究现状及常用方法,针对内部威胁的五种主要形式,提出建立内部威胁行为基线模型的建议和改进思路,为内部威胁的进一步研究及防范提供理论指导。

关键词:内部威胁、行为基线 、基线建模

1.内部威胁研究的意义及现状

近年来,随着企业内部威胁的发生越来越频繁,给企业带来越来越多的负面影响,内部威胁检测掀起了一股学术研究热潮。国内外学者在内部威胁检测方面已经取得了大量的研究成果。主要技术有:基于用户命令检测、基于生物特征认证、基于用户行为分析、基于访问控制、基于大数据和机器学习等内部威胁检测技术。基于用户行为分析(UBA)的研究正变得越来越热门,并加入了对实体行为的研究以发展为UEBA(用户实体行为分析)。

[En]

In recent years, as the occurrence of internal threats in enterprises becomes more and more frequent and brings more and more negative impact on enterprises, internal threat detection has set off an upsurge of academic research. Scholars at home and abroad have made a lot of research achievements on internal threat detection. The main technologies are: based on user command detection, based on biometric authentication, based on user behavior analysis, based on access control, based on big data and machine learning and other internal threat detection technology. The research based on user behavior analysis (UBA) is becoming more and more hot, and the study of entity behavior has been added to develop into UEBA (user entity behavior Analysis).

通过UEBA技术,我们可以发现各种网络安全问题,如外部网络攻击、内部威胁或主机被病毒入侵。2016年,用户和实体行为分析入选Gartner十大信息安全技术。2018年,用户和实体行为分析入选Gartner安全团队推荐的十大新项目。Gartner预测,到2022年,80%的网络安全测试方法将使用用户和实体行为分析技术。2016年,沙山卡等人利用奇异值分解(SVD)算法对用户的历史行为进行分析,确立了用户行为的基线。通过计算用户行为的异常得分,实现企业内部的威胁检测。2018年,Manya等人介绍了用户和实体行为分析在网络安全中的重要性,并通过实时监控用户和实体的行为日志等文件,为用户和实体建立了行为基线。当用户和实体的行为偏离行为基线时,就会发生网络攻击。2019年,Alexey等人提出了一种面向用户和实体行为分析平台的可扩展数据处理方法和异常检测方法。

[En]

Through UEBA technology, we can find a variety of network security problems, such as external network attacks, internal threats or hosts being invaded by viruses. In 2016, user and entity behavior analysis was selected as the top ten information security technologies of Gartner. In 2018, user and entity behavior analysis was selected as the top ten new projects recommended by the Gartner security team. Gartner predicts that user and entity behavior analysis technologies will be used in 80% of network security testing methods by 2022. In 2016, Shashanka and others used singular value decomposition (SVD) algorithm to analyze the historical behavior of users, and established the baseline of user behavior. By calculating the abnormal score of user behavior, threat detection within the enterprise was realized. In 2018, Manya and others introduced the importance of user and entity behavior analysis in network security, and established a behavior baseline for users and entities by monitoring files such as behavior logs of users and entities in real time. When the behavior of users and entities deviates from the behavior baseline, a network attack occurs. In 2019, Alexey et al proposed a scalable data processing method and anomaly detection method for user and entity behavior analysis platform.

2.内部威胁的类别

根据博罗蒙特研究所的一项调查,组织内部员工的无意行为是最常见的内部威胁形式,占数据泄露的64%,而外部攻击仅占数据泄露的23%。然而,内部人士的风险比简单的疏忽和恶意企图要复杂得多。实施非故意行为的内部人员既包括培训不响应的员工,也包括因云计算网络配置错误等错误而造成后果的员工。在犯罪范畴中,有内外勾结、长期恶意行为和破坏行为。因此,彻底了解以下五种不同的内部风险类别对于安全团队制定全面保障措施至关重要。内部威胁主要分为以下五类。

[En]

According to a survey by the Boromont Institute, an organization’s internal employees’ unintentional behavior is the most common form of internal threats, accounting for 64% of data breaches, while external attacks account for only 23% of data breaches. However, the risks of insiders are more complex than simple negligence and malicious attempts. Insiders who carry out unintentional behavior include both employees who do not respond to training and employees who have consequences due to errors such as misconfigured cloud computing networks. In the category of crime, there are internal and external collusion, long-term malicious acts and sabotage. Therefore, a thorough understanding of the following five different internal risk categories is essential for the security team to develop comprehensive safeguards. Internal threats are mainly divided into the following five categories.

2.1 非响应者

在组织中实施无意识行为的员工通常对培训活动没有反应。尽管这些员工可能不是故意疏忽,但他们是组织中风险最大的成员之一,因为他们的行为更频繁。尽管一直以不安全方式行事的员工通常只是组织中的一小部分,但他们的错误造成的总体影响是惊人的。

[En]

Employees who carry out unconscious behavior in an organization are usually non-responders to training activities. Although these employees may not be deliberately negligent, they are one of the riskiest members of the organization because they behave more frequently. Although employees who have been acting in an unsafe manner are usually only a small part of the organization, the overall impact of their mistakes is staggering.

2.2 内部人士的疏忽行为

简单疏忽是最常见的内部威胁形式,也是代价最高的风险类别之一。此类别的内部威胁通常会显示安全行为并遵守策略,但由于孤立的错误可能会导致违规。X-Force的调查揭示了过去一年中利用员工错误最常见的犯罪策略的几种模式:

[En]

Simple negligence is the most common form of internal threat and one of the most expensive risk categories. Internal threats in this category may usually show security behavior and comply with policies, but can lead to violations due to isolated errors. The X-Force survey reveals several patterns of the most common criminal strategies used over the past year to exploit employee errors:

  • 38%的外部攻击者试图欺骗用户点击恶意链接或附件。
  • 35%的外部风险是针对中间人(MitM)攻击的尝试。
  • 27%的外部威胁试图利用配置错误的服务器。

2.3 组织员工内外串谋

组织内部员工之间的内部和外部串通以及恶意外部威胁攻击者可能是内部犯罪的最罕见风险,但随着专业网络犯罪分子越来越多地通过秘密网络招募组织员工,这仍然是一大威胁。根据社区应急小组(CERT)的一项研究,由内部人员引发的事件是成本最高的违规类别之一,检测到的时间可能是由单独行动的内部人员引发的事件的四倍。

[En]

Internal and external collusion between employees within an organization and malicious external threats attackers may be the rarest risk of internal crime, but it is still a major threat as professional cyber criminals increasingly recruit organizational staff through secret networks. According to a study by the Community Emergency response team (CERT), incidents triggered by insiders are among the most costly categories of violations and may take four times longer to detect than those caused by insiders who act alone.

2.4 持久的恶意行为

大多数情况下,犯罪的内部人士为了经济回报或个人利益而泄露数据或实施其他恶意行为。这些人的行为可能在不被发现的情况下表现出更多的复杂性,以最大限度地维护个人利益的数据被盗。这些人可能会慢慢泄露数据以避免被发现,而不是大规模导出数据,因为这可能会在传统的网络监控工具中触发警报。

[En]

Most often, insiders who commit crimes divulge data or commit other malicious acts for financial rewards or personal interests. The behavior of these people may show more complexity without being discovered, in order to maximize the personal interests of data theft. These people may slowly leak the data to avoid detection, rather than exporting the data on a large scale, because this may trigger alerts in traditional network monitoring tools.

2.5 心怀不满的员工

作为来自内部人士的最后一类威胁,心怀不满的员工故意破坏或窃取知识产权也是该组织面临的最昂贵的风险。Gartner对内幕犯罪的分析发现,29%的员工在离职后窃取组织信息以获取未来的利益,而9%的员工出于报复等简单的犯罪动机。心怀不满的员工可以适应许多次行为模式。从收到辞职通知的那一刻起,一些沮丧的员工可能会开始收集或获取没有具体目标的信息。一些员工可能有非常明确的意图,开始向竞争对手出售商业机密。

[En]

As the last category of threats from insiders, disgruntled employees deliberately destroy or steal intellectual property rights is also the most expensive risk faced by the organization. Gartner’s analysis of insider crime found that 29 per cent of employees stole organizational information to gain future benefits after leaving, while 9 per cent were motivated by simple criminal motives such as revenge. Disgruntled employees can adapt to many subpatterns of behavior. From the moment they receive the resignation notice, some frustrated employees may begin to collect or obtain information that has no specific goals. Some employees may have very specific intentions and begin to sell trade secrets to competitors.

针对上述五种内部威胁行为,我们需要采取相应的应对和防范措施。

[En]

In view of the above five kinds of internal threat behavior, we need to take corresponding countermeasures and preventive measures.

尽管组织中的每个员工可能都有独特的行为模式,但个人模式的变化可以预测风险。人工智能和行为分析是检测工作场所习惯和信息消费的微妙模式风险的特殊工具。用户行为分析可以通过深入分析来预测风险趋势,从而缓解所有类型的内部威胁。

[En]

Although each employee in an organization may have a unique behavior model, changes in personal patterns can predict risks. Artificial intelligence and behavioral analysis are special tools for detecting the risks of subtle patterns of workplace habits and information consumption. User behavior analysis can mitigate all types of internal threats through in-depth analysis to predict risk tendencies.

3.内部威胁的行为基线建模常用方法

针对不同类型的内部威胁,进行深入的行为分析,建立基线模型,以便更好地确定异常行为。一般的想法是,正常的用户行为应该与他的组或他过去的行为(称为基线)相匹配,而偏离该基线的事件是异常行为。通常,此例外可能是欺诈、破坏、内部和外部串通、数据窃取或其他恶意意图。一旦算法检测到行为偏差,它可以标记该事件以进行进一步调查,或者它可以设计为将该事件与过去记录的类似事件进行比较。这些以前的记录是在训练数据或共享知识库(多个企业共享的威胁情报等数据库)上实施监控算法的结果。在这种监控算法中,需要对安全操作员进行人工标记,以区分“正常”和“异常”。在最终输出中,显示的威胁记录具有风险分数属性,包括行为频率、涉及的资源、潜在影响、影响节点数量和其他变量。

[En]

In view of different types of internal threats, conduct in-depth behavior analysis, establish a baseline model, in order to better determine the abnormal behavior. The general idea is that normal user behavior should match his group or his past behavior (called baseline), and events that deviate from this baseline are abnormal behavior. In general, this exception may be fraud, sabotage, internal and external collusion, data theft, or other malicious intent. Once the algorithm detects a behavior deviation, it can mark the event for further investigation, or it can be designed to compare the event with similar events recorded in the past. These previous records are the result of implementing monitoring algorithms on training data or shared knowledge bases (databases such as threat intelligence shared by multiple enterprises). In this monitoring algorithm, security operators need to be manually marked to distinguish between “normal” and “abnormal”. In the final output, the threat record displayed has risk score attributes, including behavior frequency, resources involved, potential impact, number of impact nodes and other variables.

到目前为止,在针对内部威胁的行为基线建模方面取得了更好的进展。该建模方法主要包括以下两个方面。

[En]

So far, better progress has been made in behavioral baseline modeling for internal threats. The modeling method mainly includes the following two aspects.

3.1 基于统计方法的建模

常用的基于统计的建模方法有KDE方法、朴素贝叶斯方法、回归方法等。这里介绍了前两种方法。

[En]

Commonly used modeling methods based on statistics include KDE method, naive Bayesian method, regression and so on. The first two methods are introduced here.

(1)KDE简介

内部威胁行为基线建模的建议与改进思路

KDE其实就是通过核函数将每个数据点的数据+带宽当作核函数的参数,得到n个核函数,再线性叠加就形成了核密度的估计函数,归一化后就是核密度概率密度函数了。常用的核函数如图1所示。

KDE方法根据样本点的分布情况,对其进行聚类。可以形象地理解成:一个区域中分成了若干个小区,我们按照分布密度的大小,来确定聚合的情况。

内部威胁行为基线建模的建议与改进思路

图1 常用核函数

(2)朴素贝叶斯方法简介

内部威胁行为基线建模的建议与改进思路

朴素贝叶斯分类流程图如下:

[En]

The naive Bayesian classification flow chart is as follows:

内部威胁行为基线建模的建议与改进思路

图2 朴素贝叶斯分类流程图

在使用这些建模方法时,在行为基线的定义或范围的确定上,大多采用了统计学的思想,以某一时间段的行为特征为样本,通过研究样本的分布来进一步建立确定基线的模型。那么,异常样本点是否被纳入样本选择是一个非常重要的问题。针对这一情况,往往会加入“异常点检测”,而异常值的确定一般是基于样本点的整体分布,将一些偏离公众的样本点作为异常点对待,势必会导致一些有效样本点被剔除,从而导致基线不准确甚至偏差较大。

[En]

In the use of these modeling methods, in the definition or scope determination of the behavior baseline, most of them adopt the idea of statistics, taking the behavior characteristics of a certain period of time as samples, and further establish a model to determine the baseline by studying the sample distribution. Then, whether the abnormal sample points are included in the sample selection is a very important question. In view of this situation, “outlier detection” is often added, and the determination of outliers is generally based on the overall distribution of sample points, and some sample points that deviate from the public are treated as outliers, which is bound to cause some effective sample points to be eliminated, resulting in inaccurate baselines and even large deviations.

此外,在大多数研究中,没有对用户行为进行合理的对比分析和比较分析,即没有对用户行为进行阶段性的纵向比较。研究用户与其他用户或部门整体行为之间没有横向比较,极有可能将异常行为错误定义到正常范围,严重影响行为基线建模的准确性。

[En]

In addition, in most studies, there is no reasonable comparative analysis and comparative analysis of the user’s behavior, that is, there is no phased vertical comparison of the user’s behavior. there is no horizontal comparison between the study user and other users or the overall behavior of the department, which is very likely to misdefine the abnormal behavior to the normal range, which seriously affects the accuracy of behavior baseline modeling.

3.2 基于机器学习方法的建模

常用的机器学习方法有支持向量机、支持向量数据描述、梯度提升决策树、奇异值分解、神经网络等。本文重点研究了支持向量机和奇异值分解算法。

[En]

The commonly used machine learning methods include support vector machine (SVM), support vector data description (SVDD), gradient lifting decision tree (GBDT), singular value decomposition (SVD), neural network (NN) and so on. This paper focuses on the SVM and SVD algorithms.

(1)SVM算法简介

支持向量机的基本模型是在特征空间中寻找最佳的分离超平面,以最大化训练集上正负样本之间的间隔。支持向量机是一种用于解决二值分类问题的监督学习算法。在引入核方法之后,支持向量机也可以用来解决非线性问题。通常有三种支持向量机:硬区间支持向量机、软区间支持向量机和非线性支持向量机。

[En]

The basic model of support vector machine (SVM) is to find the best separation hyperplane in the feature space to maximize the interval between positive and negative samples on the training set. SVM is a supervised learning algorithm used to solve binary classification problems. After introducing kernel method, SVM can also be used to solve nonlinear problems. Generally, there are three kinds of SVM: hard interval support vector machine, soft interval support vector machine, and nonlinear support vector machine.

SVM算法流程图如图3所示。

内部威胁行为基线建模的建议与改进思路

图3 SVM算法流程图

(2)SVD算法简介

SVD奇异值分解是线性代数中一种重要的矩阵分解,是矩阵分析中正规矩阵酉对角化的推广。SVD算法不光可以用于降维算法中的特征分解,还可以用于推荐系统,以及自然语言处理等领域,是很多机器学习算法的基石。

内部威胁行为基线建模的建议与改进思路

Shashanka使用SVD算法, 分析用户的历史行为,并建立用户行为基线,通过计算用户行为的异常分数,实现企业内部威胁的检测。这种方法为我们提供了一个较好的理论指导,特别是在维数较高时,用途更广。但是SVD分解出的矩阵往往解释性不强,就是说很难确切说清楚它代表的实际含义。对于SVM,SVDD,GBDT等方法,在用到行为基线研究时,也都存在一定的局限性,前人在分析用户历史行为而建立行为基线时,有的也用到了这些方法,但效果并不太理想,尤其是在稳定性方面,并没有进行专门的分析,也没有对模型进一步优化,这将大大降低了基线建模的质量和效果。当然了,不论用哪种方法,最后的效果当然跟数据的分布、特征都密切相关。所以不能说哪个算法一定比另一个算法好,我们只能根据实际问题选择更适合的算法来解决,但是一定要进行模型的进一步验证、优化,甚至改变建模算法、方法以达到更好的效果。

4.内部威胁行为基线建模的建议及改进思路

针对内部威胁行为影响严重的问题,结合现有建立内部威胁行为基线模型的方法,挖掘这些主要方法的特点和不足,结合笔者对内部威胁行为的进一步研究和分析,提出以下三点建议和实施思路。

[En]

In view of the serious impact of internal threat behavior, combined with the existing methods of establishing baseline models of internal threat behavior, mining the characteristics and shortcomings of these main methods, combined with the author’s further research and analysis of internal threat behavior, put forward the following three suggestions and implementation ideas.

4.1 内部威胁行为基线建模的假设需针对性改进

任何模型都需要做出合理的假设,这也是模型的前提和基础。假设如何更加合理和科学,直接影响到整个模型的利弊和适用性。

[En]

Any model needs to make reasonable assumptions, which is also the premise and basis of the model. The assumption of how to be more reasonable and scientific directly affects the pros and cons and applicability of the whole model.

内部威胁行为基线的建立需要结合具体的应用场景,分析其特点并做出相应的假设,以便更好地建立更加合理的模型。在对上述五种内部威胁进行建模之前,结合其应用场景,提出了更合适的假设。

[En]

The establishment of the baseline of internal threat behavior needs to be combined with specific application scenarios, analyze its characteristics and make corresponding assumptions in order to better establish a more reasonable model. The following puts forward more appropriate assumptions before modeling for the five internal threats mentioned above, combined with their application scenarios.

对于前两种内部威胁,即“无响应者”和“内部人的疏忽行为”,如果作出的假设只考虑其历史行为的相对稳定性,很容易建立广泛的基线,而忽视他们的异常行为。因此,建议将用户和相关实体结合起来,做出更合理的假设。对于第三种内部威胁–组织员工内外合谋,隐蔽性程度较高,在对其行为基线建模时,需要增加横向比较和纵向比较的假设。对于第四种内部威胁–“持续性恶意行为”,除了深入分析用户和实体外,还需要增加差异化假设,即细分其在不同时间段的行为分布。对于第五个内部威胁,“心怀不满的员工”,需要增加对用户个性行为的假设。

[En]

For the first two internal threats, namely, “non-responders” and “insiders’ negligent behavior”, if the assumptions made only take into account the relative stability of their historical behavior, it is easy to establish a wide range of baselines and ignore their abnormal behavior. therefore, it is recommended to combine users and related entities to make more reasonable assumptions. For the third kind of internal threat, “organizing employees’ internal and external collusion”, the degree of concealment is high, so we need to increase the hypothesis of horizontal comparison and vertical comparison when modeling its behavior baseline. For the fourth kind of internal threat, “persistent malicious behavior”, in addition to in-depth analysis of users and entities, it is also necessary to increase the assumption of differentiation, that is, to subdivide their behavior distribution in different time periods. For the fifth internal threat, “disgruntled employees”, there is a need to increase assumptions about the user’s personality behavior.

事实上,对于不同的内部威胁,我们事先并不知道什么样的威胁,所以在建立模型之前,我们需要综合上述方法,结合实际场景和变化,进一步做出科学合理的假设。从而为建立更好的模式奠定了基础。

[En]

In fact, for different internal threats, we do not know what kind of threat in advance, so before establishing the model, we need to synthesize the above methods, combined with the actual scene and changes, and further make scientific and reasonable assumptions. Thus lay the foundation for the establishment of a better model.

4.2 行为基线建模中对用户的历史行为应增加对照分析和比较分析

在为用户行为建立基准时,应该分阶段进行处理。例如,用户AN最近三个月的行为必须与前三个月进行比较,前三个月的行为也应与前三个月的行为进行比较,等等。只有这样,才能避免将用户AN的“频繁行为”误判为正常行为。当然,这里所说的“三个月”只是一个假设数字。具体时间段的确定应该因场景而异,因行为而异,因目标而异。

[En]

When establishing a baseline for user behavior, it should be processed in stages. For example, the behavior of a user An in the last three months must be compared with that of the previous three months, and the behavior of the previous three months should also be compared with that of the previous three months, and so on. Only in this way can we avoid misjudging the “frequent behavior” of user An as normal behavior. Of course, the “three months” mentioned here is only an assumed number. The determination of the specific time period should vary according to the scene, because of the behavior, because of the goal.

以上是与用户以往行为的对比分析。此外,应该对用户的行为进行横向比较,例如与同一部门或业务中的同事的行为进行比较。更合理地掌握其历史行为的真实轨迹,或者更科学地确立其“非异常行为”的底线,也更有助益。

[En]

The above-mentioned is a comparative analysis with the previous behavior of the user. In addition, there should be a horizontal comparison of the user’s behavior, such as with the behavior of colleagues in the same department or business. It is also more helpful to get the real track of its historical behavior more reasonably, or to establish the baseline of “non-abnormal behavior” more scientifically.

需要注意的是,在比较分析和比较分析中,如何比较更加合理,这也是我们下一步要关注和探索的重要问题。

[En]

It should be noted that in comparative analysis and comparative analysis, how to compare is more reasonable, which is also an important issue that we should pay attention to and explore in the next step.

4.3 行为基线建模需进一步优化并增加鲁棒性分析

对于内部威胁的行为基线建模,在目前使用的大多数模型中,建模后的模型优化不到位,往往是在基线建模完成后进行简单的应用测试。该模型的适用性和实用性尚无进一步挖掘。

[En]

For the behavior baseline modeling of internal threats, in most of the models used at present, the optimization of the model after modeling is not in place, and often a simple application test is carried out after the baseline modeling is completed. there is no further mining for the applicability and practicability of the model.

鉴于上述原因,我们建议进一步优化模型,优化模型的标准应根据实际场景进行调整。在研究和分析用户的具体行为时,应该在前面提到的合理假设的基础上建立更科学的模型。模型求解后,必须反馈给实际问题,进行进一步的分析和优化。直到模型的适用性和实用性达到客观要求。

[En]

In view of the above reasons, we propose to further optimize the model, and the criteria of the optimization model should be adjusted according to the actual scene. When studying and analyzing the specific behavior of a user, a more scientific model should be established on the basis of the reasonable assumptions mentioned before. after solving the model, it must be fed back to the actual problem, further analyzed and optimized. Until the applicability and practicability of the model meet the objective requirements.

此外,我们还建议增加模型的稳健性分析。行为基线模型的建立与相应的场景相结合。那么,对于场景适当范围内的震荡或者相应阈值的变化,模型是否仍然适用,是否能够准确描述,是我们应该关注的一个重要问题。因此,我们必须加大对模型的稳健性分析,根据模型应适用于适度变化的场景的标准,对模型进行调整和优化,从而建立科学合理的行为基线。

[En]

In addition, we propose to increase the robustness analysis of the model. The establishment of a behavior baseline model is combined with the corresponding scene. Then, for the concussion within the appropriate range of the scene or the change of the corresponding threshold, whether the model is still suitable and whether it can be described accurately is an important issue that we should pay attention to. Therefore, we must increase the robustness analysis of the model and adjust and optimize the model according to the criterion that “it should be applicable to moderately changing scenes”, so as to establish a scientific and reasonable behavior baseline.

4.4 内部威胁行为基线建模改进后的实现路径

总之,可以获得改进的内部威胁行为基线建模的实现路径,如图5所示。

[En]

In summary, the implementation path of the improved baseline modeling of internal threat behavior can be obtained, as shown in figure 5.

内部威胁行为基线建模的建议与改进思路

图5 内部威胁行为基线建模改进后的实现路径

5.结论及展望

针对内部威胁行为基线建模的现状,提出了一些建议和改进意见,包括建模前的构建、用户历史行为的比较分析、与其他用户或我部门整体行为的比较分析。模型优化和稳健性分析。为进一步合理建立内部威胁行为基线模型提供了理论指导,为进一步提高研究判断异常行为和发现内部威胁的能力提供了一些思路和方法。

[En]

According to the present situation of behavior baseline modeling of internal threats, this paper puts forward some suggestions and improvement ideas, including the construction before modeling, the comparative analysis of users’ historical behavior, and the comparative analysis with other users or the whole behavior of our department. Model optimization and robustness analysis. It provides theoretical guidance for further reasonable establishment of the behavior baseline model of internal threats, and provides some ideas and methods for further improving the ability of studying and judging abnormal behavior and discovering internal threats.

下一步,将根据不同场景下内部威胁的特点,结合科学的建模方法,建立更加合理的行为基线模型,为应对和防范内部威胁提供支撑。

[En]

In the next step, according to the characteristics of internal threats in different scenarios, combined with scientific modeling methods, we will establish a more reasonable behavior baseline model to provide support for the response and prevention of internal threats.

参考文献

[1] 网络安全先进技术与应用发展系列蓝皮报告 用户实体行为分析技术(UEBA)2020.

[2] Shashanka M, Shen M Y, Wang J. User and entity behavior analytics for enterprise security[C]// 2016 IEEE International Conference on Big Data (Big Data). IEEE, 2016

[3] Salitin M A, Zolait A H. The role of User Entity Behavior Analytics to detect network attacks in real time[C] //2018 International Conference on Innovation and Intelligence for Informatics, Computing, and Technologies (3ICT). IEEE, 2018: 1-5

[4] Lukashin A, Popov M, Bolshakov A, et al. Scalable Data Processing Approach and Anomaly

Detection Method for User and Entity Behavior Analytics Platform[C] //International Symposium on Intelligent and Distributed Computing. Springer, Cham, 2019: 344-349

[5] Cyber security Insiders and Crowd Research Partners. Insider threat 2018[R], 2018.

[6] Hunker J, Probst C W. Insiders and Insider Threats: An Overview of Definitions and Mitigation

Techniques[J]. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable

Applications, 2011, 2(1): 4-27.

[7] Liu Haowei. A insider threat detection system based on user and entity behavior analysis[J]. Journal of Physics: Conference Series, 2021, 1994(1)

[8] Insider threat programmes: Time to hit restart[J] Cyber Security: A Peer-Reviewed Journal, 2021, 4(3)

Original: https://www.cnblogs.com/dhcn/p/16454362.html
Author: 辉–
Title: 内部威胁行为基线建模的建议与改进思路

原创文章受到原创版权保护。转载请注明出处:https://www.johngo689.com/6510/

转载文章受原作者版权保护。转载请注明原作者出处!

(0)

大家都在看

免费咨询
免费咨询
扫码关注
扫码关注
联系站长

站长Johngo!

大数据和算法重度研究者!

持续产出大数据、算法、LeetCode干货,以及业界好资源!

2022012703491714

微信来撩,免费咨询:xiaozhu_tec

分享本页
返回顶部