[1]王培超,周鋆,朱承,等.基于门禁日志挖掘的内部威胁异常行为分析[J].智能系统学报,2017,12(06):781-789.[doi:10.11992/tis.201706041]
 WANG Peichao,ZHOU Yun,ZHU Cheng,et al.Analysis on abnormal behavior of insider threats based on accesslog mining[J].CAAI Transactions on Intelligent Systems,2017,12(06):781-789.[doi:10.11992/tis.201706041]
点击复制

基于门禁日志挖掘的内部威胁异常行为分析(/HTML)
分享到:

《智能系统学报》[ISSN:1673-4785/CN:23-1538/TP]

卷:
第12卷
期数:
2017年06期
页码:
781-789
栏目:
出版日期:
2017-12-25

文章信息/Info

Title:
Analysis on abnormal behavior of insider threats based on accesslog mining
作者:
王培超 周鋆 朱承 黄金才 张维明
国防科技大学 信息系统工程重点实验室, 湖南 长沙 410072
Author(s):
WANG Peichao ZHOU Yun ZHU Cheng HUANG Jincai ZHANG Weiming
Key Laboratory of Information System Engineering, National University of Defense Technology, Changsha 410072, China
关键词:
门禁系统日志数据挖掘内部威胁检测异常行为分析
Keywords:
access control systemaccesslog mininginsider threat detectionanalysis on abnormal behavior
分类号:
TP311
DOI:
10.11992/tis.201706041
摘要:
门禁系统是保护重要场所安全的重要手段,可以有效防止未授权用户的进入。然而,近年来大量案例表明重要场所的威胁主要来自于具有合法权限的内部人员。针对这个问题,提出基于门禁日志数据挖掘的内部威胁异常行为分析方法。该方法首先利用PrefixSpan算法对正常行为序列进行提取,之后计算待检测序列的序列异常度分数,并根据决策者设定的阈值来找出异常序列。通过真实门禁数据中的实验,验证了本方法可以降低精确匹配在数据较少时带来的高误报率,实现对内部人员异常行为的有效发现,为加强重要场所安全保护提供了新的途径。
Abstract:
Using an access control system is an important method of guarding key places, and it can effectively prohibit the entry of unauthorized users. However, many recent cases indicate that threats to key places mostly come from insiders. To address this challenge, this paper proposes a method for analyzing the abnormal behavior of insider threats based on accesslog data mining. First, the PrefixSpan algorithm is used to extract normal behavior sequences; then, the anomaly scores of the access sequences are calculated. Finally, the abnormal sequences are identified according to a threshold determined by decision makers. Experiments on real access data show that this method can decrease high false alarm rates caused by an exact match when there is limited data and can also effectively reveal abnormal behavior by insiders. Therefore, this method provides a new approach for enhancing the protection of key places.

参考文献/References:

[1] 杨荣秀. 基于指纹识别技术的智能小区门禁系统的设计[J]. 科技与企业, 2016(5): 88-90.
YANG Xiurong. Design of intelligent community access control system based on fingerprint identification technique[J]. Technology and enterprise, 2016(5): 88-90.
[2] 李海青, 孙哲南, 谭铁牛, 等. 虹膜识别技术进展与发展趋势[J]. 信息安全研究, 2016, 2(1): 40-43.
LI Haiqing, SUN Zhenan, TAN Tieniu, et al. Progress and trends in iris recognition[J]. Journal of information security research, 2016, 2(1): 40-43.
[3] FERRAIOLO D F, KUHN R. Role based access control[C]//Proceedings of the 15th NIST-NCSC National Computer Security Conference. Baltimore, Maryland, 1992: 554-563.
[4] MATT B, SOPHIE E, SEAN P, et al. We have met the enemy and he is us[C]//New Security Paradigms Workshop. Lake Tahoe, USA, 2008: 1-11.
[5] JIAN Pei, HAN Jiawei, BEHZAD M, et al. PrefixSpan: mining sequential patterns efficiently by prefix-projected pattern growth[C]//20th International Council for Open and Distance Education World Conference on Open Learning and Distance Education. Heidelberg, Germany, 2001: 215-224.
[6] ANTONIO L, SIMON F, ZHUNAG Yan. A logical model for detecting irregular actions in physical access[C]// IEEE conference on database and expert systems applications. [S.l.], 2007: 560-564.
[7] DAVIS M, LIU W, MILLER P, et al. Detecting anomalise in graphs with numeric labels[C]//ACM Conference on Information and Knowledge Management. Glasgow, United Kingdom, 2011: 1197-1202.
[8] GOKHAN K, DUC L, TING X, et al. Ettu: analyzing query intents in corporate databases[C]//Proceedings of the 25th International Conference Companion on World Wide Web. Montreal, Canada, 2016: 463-466.
[9] TABISH R, IOANNIS A, JASON R. A new take on detecting insider threats: exploring the use of hidden markov models[C]//Proceedings of the 22nd International Conference on Intelligent User Interfaces Companion. Limassol, Cyprus, 2016: 47-56.
[10] TED E S, DAVID A B, THOMAS G D, et al. Detecting insider threats in a real corporate database of computer usage activity[C]//Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. Chicago, USA, 2013: 1393-1401.
[11] 王怀宝, 郭江利. 基于跟踪轨迹的徘徊行为分析[J]. 计算机与数字工程, 2016, 44(5): 843-846.
WANG Huaibao, GUO Jiangli. Wandering behavior analysis based on trajectory[J]. Computer and digital engineering, 2016, 44(5): 843-846.
[12] 邹一波, 陈一民. 基于运动标签的异常行为检测算法[J]. 计算机应用与软件, 2015, 5: 238-240, 266.
ZOU Yibo, CHEN Yimin. Anomalous behaviors detection algorithm based on motion label[J]. Computer applications and software, 2015, 5: 238-240, 266.
[13] HAN Jiawei, MICHELINE K, PEI Jian. Data mining concepts and techniques[M]. 3版. 北京: 机械工业出版社: 2016: 355-356.
[14] BOSTJAN K, ERIK D, TEA T, et al. A probabilistic risk analysis for multimodal entry control[J]. Expert systems with applications, 2011, 38(6): 6696-6704.
[15] MICHAEL D, WEIRU L, PAUL M. Detecting anomalies in graphs with numeric labels[J]. ACM conference on information and knowledge management, 2011(10): 1197-1202.
[16] 胡向东, 韩恺敏, 许宏如. 智能家居物联网的安全性设计与验证[J]. 重庆邮电大学学报:自然科学版, 2016, 26(2): 171-176.
HU Xiangdong, Han Kaimin, XU Hongru. Design and implementation of security-focused intelligent household Internet of things[J]. Journal of Chongqing university of posts and telecommunications: natural science edition, 2016, 26(2): 171-176.
[17] 胡向东, 唐飞. 智能家居门禁系统的安全控制方法[J]. 重庆邮电大学学报:自然科学版, 2016, 28(6): 863-869.
HU Xiangdong, TANG Fei. Secure control methods of the entrance guard system for smart home[J]. Journal of Chongqing university of posts and telecommunications: natural science edition, 2016, 28(6): 863-869.
[18] 王菲. 数据挖掘在图书馆用户行为分析上的应用研究[D]. 上海: 上海交通大学, 2013: 26-49.
WANG Fei. Data mining applied in the library user behavior analysis[D]. Shanghai: Shanghai Jiao Tong University, 2013: 26-49.
[19] 郑伟平, 言专艺, 唐晓红. 电子门禁数据挖掘与应用方法[J]. 警察技术, 2015, 6: 47-50.
ZHENG Weiping, YAN Zhuanyi, TANG Xiaohong. Access control data mining and application methods[J]. Police technology, 2015, 6: 47-50.
[20] 史殿习, 李寒, 杨若松, 等. 用户日常频繁行为模式挖掘[J]. 国防科技大学学报, 2017, 39(1): 74-80.
SHI Dianxi, LI Han, YANG Ruosong, et al. Mining user frequent behavior patterns in daily life[J]. Journal of national university of defense technology, 2017, 39(1): 74-80.
[21] 顾兆军, 安一然, 刘飞. 基于航站楼门禁日志挖掘的物理入侵检测技术[J]. 计算机应用与软件, 2015, 32(11): 317-320, 324.
GU Zhaojun, AN Yiran, LIU Fei. Physical intrusion detection technology based on terminal buildings access log mining[J]. Computer applications and software, 2015, 32(11): 317-320, 324.
[22] 陈卓, 杨炳儒, 宋威, 等. 序列模式挖掘综述[J]. 计算机应用研究, 2008, 25(7): 1960-1964.
CHEN Zhuo, YANG Bingru, SONG Wei, et al. Survey of sequential pattern mining[J]. Application research of computers, 2008, 25(7): 1960-1964.
[23] HAN Jiawei, PEI Jian, BEHZAD M, et al. FreeSpan: frequent pattern-projected sequential pattern mining[C]//Proceedings of the 6th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, USA, 2000: 355-359.

备注/Memo

备注/Memo:
收稿日期:2017-06-10;改回日期:。
基金项目:国家自然科学基金项目(71571186);教育部在线教育研究基金项目(2017YB119).
作者简介:王培超,男,1993年生,硕士研究生,主要研究方向为网络空间数据挖掘,参与国家自然科学基金面上项目1项,教育部在线教育研究基金项目1项;周鋆,男,1987年生,讲师,博士,主要研究方向为机器学习、贝叶斯网络学习及应用、网络空间的安全行为分析。发表学术论文10篇;朱承,男,1976年生,研究员,博士生导师,博士,中国指挥与控制学会C4ISR技术专委会总干事。主要研究方向为指挥控制、智能决策。主持国家自然科学基金项目3项、国家“863”计划项目2项,担任多个国防重点型号项目的技术副总师,获军队科?研奖励3项。发表学术论文30余篇,编著教材3部。
通讯作者:周鋆.E-mail:zhouyun@nudt.edu.cn.
更新日期/Last Update: 2018-01-03