Enterprise internal user abnormal behavior detection method and device

An internal user and detection method technology, applied in the field of network security, can solve the problems of ignoring user behavior details, excessive dependence on manual work for user behavior feature determination and extraction, and inability to function in the field of insider threat detection, so as to achieve the effect of solving the lack of details.

Active Publication Date: 2018-11-23
PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU +2
View PDF8 Cites 51 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0006] 1. The determination and extraction of user behavior characteristics rely too much on manual work, and the extracted features are mostly simple statistical information, ignoring a large number of user behavior details
[0007] 2. The currently popular method of labeling user behavior portraits in the Internet, statistics and analysis of basic data such as website visits, and discovers the rules of user visits from it. This type of method is suitable for business operations and business recommendations. Internal The Threat Detection Field Doesn't Work

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Enterprise internal user abnormal behavior detection method and device
  • Enterprise internal user abnormal behavior detection method and device
  • Enterprise internal user abnormal behavior detection method and device

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0063] Such as figure 1 As shown, a method for detecting an abnormal behavior of an enterprise internal user of the present invention includes the following steps:

[0064] Step S101: Divide the historical behavior log data of internal users in the enterprise into different data streams according to the user ID, and perform different processing in the analysis process for the historical behavior log data corresponding to different behaviors, and analyze each historical behavior log data as a five-tuple.

[0065] Step S102: Build an index for the analyzed historical behavior log data and store it in the full-text search engine database as the basic data for the initial search. When new behavior log data is received, search for the five-element corresponding to the new behavior log data The group extracts the corresponding behavior detail information, retrieves the frequency and time node information of each behavior detail information in the historical behavior, completes the ...

Embodiment 2

[0069] Another method for detecting abnormal behavior of internal users in an enterprise of the present invention includes the following steps:

[0070] Step S201: Divide the historical behavior log data of internal users in the enterprise into different data streams according to the user ID, and perform different processing in the analysis process for the historical behavior log data corresponding to different behaviors, and analyze each historical behavior log data is a five-tuple;

[0071] In order to ensure that legitimate users can effectively access protected resources, prevent unauthorized access by illegal users, and retain user behavior records for violation investigation, log analysis and auditing have become important means to protect enterprise information security and monitor internal user behavior compliance. In the audit system, various sensors deployed in the enterprise will continuously record user operation behaviors, generate relevant logs, and store them in...

Embodiment 3

[0109] Such as Image 6 As shown, a device for detecting abnormal behaviors of internal users in an enterprise of the present invention includes:

[0110] The behavior log acquisition and preprocessing module 301 is used to divide the historical behavior log data of the internal users of the enterprise into different data streams according to the user ID, and perform different processing in the parsing process for the historical behavior log data corresponding to different behaviors, Parse each piece of historical behavior log data into a five-tuple;

[0111] Behavior detail modeling module 302, used for building an index for the historical behavior log data after analysis, storing in the full-text search engine database, as the basic data of initial search, when receiving new behavior log data, by searching new behavior log data The five-tuple corresponding to the log data extracts the corresponding behavior details, retrieves the frequency and time node information of each ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to the technical field of network security, in particular to an enterprise internal user abnormal behavior detection method and device, discloses an enterprise internal user abnormal behavior detection method, and further discloses an enterprise internal user abnormal behavior detection device. The enterprise internal user abnormal behavior detection device comprises a behavior log acquiring and preprocessing module, a behavior detail modeling module, a service state transfer prediction module and a malicious behavior score discrimination module. According to the enterprise internal user abnormal behavior detection method and device, an unsupervised machine learning method is used, a user behavior model is built by fully utilizing unmarked unhistorical behavior log data in an enterprise, the accurate rate of abnormal behavior detection is increased, the false reporting rate and the missing reporting rate are decreased, and an effective means is provided for detecting enterprise internal threats.

Description

technical field [0001] The invention relates to the technical field of network security, in particular to a method and a device for detecting abnormal behavior of users within an enterprise. Background technique [0002] The losses caused by deliberate sabotage or unintentional dereliction of duty by internal users account for an increasing proportion of global enterprises every year, and internal threats have increasingly become the focus of enterprise security concerns. Attackers come from within the enterprise, and attacks often occur during working hours. Malicious behavior is embedded in a large amount of normal data, which increases the difficulty of data mining and analysis. At the same time, attackers often have relevant knowledge of organizational security defense mechanisms and can take measures to evade security detection. However, there are various attack modes of insider threats, it is costly and difficult to obtain attack samples, the workload of manual determi...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06K9/62G06F17/30
CPCH04L63/1425G06F18/23213G06F18/2411G06F18/295
Inventor 郭渊博刘春辉孔菁朱智强常朝稳李亚东段刚
Owner PLA STRATEGIC SUPPORT FORCE INFORMATION ENG UNIV PLA SSF IEU
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap