Institute of High Energy Physics, Chinese Academy of Sciences, 19B Yuquan Road, Shijingshan District, Beijing 100049, China.
Sensors (Basel). 2022 Aug 28;22(17):6471. doi: 10.3390/s22176471.
With the wide application of Internet of things (IoT) devices in enterprises, the traditional boundary defense mechanisms are difficult to satisfy the demands of the insider threats detection. IoT insider threat detection can be more challenging, since internal employees are born with the ability to escape the deployed information security mechanism, such as firewalls and endpoint protection. In order to detect internal attacks more accurately, we can analyze users' web browsing behaviors to identify abnormal users. The existing web browsing behavior anomaly detection methods ignore the dynamic change of the web browsing behavior of the target user and the behavior consistency of the target user in its peer group, which results in a complex modeling process, low system efficiency and low detection accuracy. Therefore, the paper respectively proposes the individual user behavior model and the peer-group behavior model to characterize the abnormal dynamic change of user browsing behavior and compare the mutual behavioral inconsistency among one peer-group. Furthermore, the fusion model is presented for insider threat detection which simultaneously considers individual behavioral abnormal dynamic changes and mutual behavioral dynamic inconsistency from peers. The experimental results show that the proposed fusion model can accurately detect insider threat based on the abnormal user web browsing behaviors in the enterprise networks.
随着物联网 (IoT) 设备在企业中的广泛应用,传统的边界防御机制难以满足内部威胁检测的需求。物联网内部威胁检测可能更加具有挑战性,因为内部员工天生就具备逃避部署的信息安全机制(如防火墙和端点保护)的能力。为了更准确地检测内部攻击,我们可以分析用户的网页浏览行为,以识别异常用户。现有的网页浏览行为异常检测方法忽略了目标用户的网页浏览行为的动态变化和目标用户在其对等组中的行为一致性,这导致建模过程复杂、系统效率低和检测精度低。因此,本文分别提出了个体用户行为模型和对等组行为模型,以描述用户浏览行为的异常动态变化,并比较对等组内的相互行为不一致性。此外,还提出了融合模型,用于内部威胁检测,同时考虑个体行为的异常动态变化和来自对等组的相互行为动态不一致性。实验结果表明,所提出的融合模型可以基于企业网络中异常用户的网页浏览行为准确地检测内部威胁。
