WANG Peichao,ZHOU Yun,ZHU Cheng,et al.Analysis on abnormal behavior of insider threats based on accesslog mining[J].CAAI Transactions on Intelligent Systems,2017,12(06):781-789.[doi:10.11992/tis.201706041]





Analysis on abnormal behavior of insider threats based on accesslog mining
王培超 周鋆 朱承 黄金才 张维明
国防科技大学 信息系统工程重点实验室, 湖南 长沙 410072
WANG Peichao ZHOU Yun ZHU Cheng HUANG Jincai ZHANG Weiming
Key Laboratory of Information System Engineering, National University of Defense Technology, Changsha 410072, China
access control systemaccesslog mininginsider threat detectionanalysis on abnormal behavior
Using an access control system is an important method of guarding key places, and it can effectively prohibit the entry of unauthorized users. However, many recent cases indicate that threats to key places mostly come from insiders. To address this challenge, this paper proposes a method for analyzing the abnormal behavior of insider threats based on accesslog data mining. First, the PrefixSpan algorithm is used to extract normal behavior sequences; then, the anomaly scores of the access sequences are calculated. Finally, the abnormal sequences are identified according to a threshold determined by decision makers. Experiments on real access data show that this method can decrease high false alarm rates caused by an exact match when there is limited data and can also effectively reveal abnormal behavior by insiders. Therefore, this method provides a new approach for enhancing the protection of key places.


[1] 杨荣秀. 基于指纹识别技术的智能小区门禁系统的设计[J]. 科技与企业, 2016(5): 88-90.
YANG Xiurong. Design of intelligent community access control system based on fingerprint identification technique[J]. Technology and enterprise, 2016(5): 88-90.
[2] 李海青, 孙哲南, 谭铁牛, 等. 虹膜识别技术进展与发展趋势[J]. 信息安全研究, 2016, 2(1): 40-43.
LI Haiqing, SUN Zhenan, TAN Tieniu, et al. Progress and trends in iris recognition[J]. Journal of information security research, 2016, 2(1): 40-43.
[3] FERRAIOLO D F, KUHN R. Role based access control[C]//Proceedings of the 15th NIST-NCSC National Computer Security Conference. Baltimore, Maryland, 1992: 554-563.
[4] MATT B, SOPHIE E, SEAN P, et al. We have met the enemy and he is us[C]//New Security Paradigms Workshop. Lake Tahoe, USA, 2008: 1-11.
[5] JIAN Pei, HAN Jiawei, BEHZAD M, et al. PrefixSpan: mining sequential patterns efficiently by prefix-projected pattern growth[C]//20th International Council for Open and Distance Education World Conference on Open Learning and Distance Education. Heidelberg, Germany, 2001: 215-224.
[6] ANTONIO L, SIMON F, ZHUNAG Yan. A logical model for detecting irregular actions in physical access[C]// IEEE conference on database and expert systems applications. [S.l.], 2007: 560-564.
[7] DAVIS M, LIU W, MILLER P, et al. Detecting anomalise in graphs with numeric labels[C]//ACM Conference on Information and Knowledge Management. Glasgow, United Kingdom, 2011: 1197-1202.
[8] GOKHAN K, DUC L, TING X, et al. Ettu: analyzing query intents in corporate databases[C]//Proceedings of the 25th International Conference Companion on World Wide Web. Montreal, Canada, 2016: 463-466.
[9] TABISH R, IOANNIS A, JASON R. A new take on detecting insider threats: exploring the use of hidden markov models[C]//Proceedings of the 22nd International Conference on Intelligent User Interfaces Companion. Limassol, Cyprus, 2016: 47-56.
[10] TED E S, DAVID A B, THOMAS G D, et al. Detecting insider threats in a real corporate database of computer usage activity[C]//Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. Chicago, USA, 2013: 1393-1401.
[11] 王怀宝, 郭江利. 基于跟踪轨迹的徘徊行为分析[J]. 计算机与数字工程, 2016, 44(5): 843-846.
WANG Huaibao, GUO Jiangli. Wandering behavior analysis based on trajectory[J]. Computer and digital engineering, 2016, 44(5): 843-846.
[12] 邹一波, 陈一民. 基于运动标签的异常行为检测算法[J]. 计算机应用与软件, 2015, 5: 238-240, 266.
ZOU Yibo, CHEN Yimin. Anomalous behaviors detection algorithm based on motion label[J]. Computer applications and software, 2015, 5: 238-240, 266.
[13] HAN Jiawei, MICHELINE K, PEI Jian. Data mining concepts and techniques[M]. 3版. 北京: 机械工业出版社: 2016: 355-356.
[14] BOSTJAN K, ERIK D, TEA T, et al. A probabilistic risk analysis for multimodal entry control[J]. Expert systems with applications, 2011, 38(6): 6696-6704.
[15] MICHAEL D, WEIRU L, PAUL M. Detecting anomalies in graphs with numeric labels[J]. ACM conference on information and knowledge management, 2011(10): 1197-1202.
[16] 胡向东, 韩恺敏, 许宏如. 智能家居物联网的安全性设计与验证[J]. 重庆邮电大学学报:自然科学版, 2016, 26(2): 171-176.
HU Xiangdong, Han Kaimin, XU Hongru. Design and implementation of security-focused intelligent household Internet of things[J]. Journal of Chongqing university of posts and telecommunications: natural science edition, 2016, 26(2): 171-176.
[17] 胡向东, 唐飞. 智能家居门禁系统的安全控制方法[J]. 重庆邮电大学学报:自然科学版, 2016, 28(6): 863-869.
HU Xiangdong, TANG Fei. Secure control methods of the entrance guard system for smart home[J]. Journal of Chongqing university of posts and telecommunications: natural science edition, 2016, 28(6): 863-869.
[18] 王菲. 数据挖掘在图书馆用户行为分析上的应用研究[D]. 上海: 上海交通大学, 2013: 26-49.
WANG Fei. Data mining applied in the library user behavior analysis[D]. Shanghai: Shanghai Jiao Tong University, 2013: 26-49.
[19] 郑伟平, 言专艺, 唐晓红. 电子门禁数据挖掘与应用方法[J]. 警察技术, 2015, 6: 47-50.
ZHENG Weiping, YAN Zhuanyi, TANG Xiaohong. Access control data mining and application methods[J]. Police technology, 2015, 6: 47-50.
[20] 史殿习, 李寒, 杨若松, 等. 用户日常频繁行为模式挖掘[J]. 国防科技大学学报, 2017, 39(1): 74-80.
SHI Dianxi, LI Han, YANG Ruosong, et al. Mining user frequent behavior patterns in daily life[J]. Journal of national university of defense technology, 2017, 39(1): 74-80.
[21] 顾兆军, 安一然, 刘飞. 基于航站楼门禁日志挖掘的物理入侵检测技术[J]. 计算机应用与软件, 2015, 32(11): 317-320, 324.
GU Zhaojun, AN Yiran, LIU Fei. Physical intrusion detection technology based on terminal buildings access log mining[J]. Computer applications and software, 2015, 32(11): 317-320, 324.
[22] 陈卓, 杨炳儒, 宋威, 等. 序列模式挖掘综述[J]. 计算机应用研究, 2008, 25(7): 1960-1964.
CHEN Zhuo, YANG Bingru, SONG Wei, et al. Survey of sequential pattern mining[J]. Application research of computers, 2008, 25(7): 1960-1964.
[23] HAN Jiawei, PEI Jian, BEHZAD M, et al. FreeSpan: frequent pattern-projected sequential pattern mining[C]//Proceedings of the 6th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. New York, USA, 2000: 355-359.


更新日期/Last Update: 2018-01-03