Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

Haowei Liu

DOI: https://doi.org/10.1088/1742-6596/1994/1/012021

2021-08-01

Journal of Physics: Conference Series

Abstract:Abstract Under the background of “digital new era”, the trend of network environment diversification and personnel technical requirements complexity is becoming more and more intense. After the “Prism Gate” incident was exposed, the public began to think deeply about insider security. At present, most organizations adopt security information and event management (SIEM) security policies and the rules to carry out insider security detection. However, with the surge of insider information data, the number of false alarms and false alarms due to the lack of context increases, which consumes a lot of time and human and material resources. Based on these problems, it is particularly important to develop a new insider safety inspection system and tools. This work proposes to develop an insider threat detection system based on the security strategy of user and entity behavior analysis to realize the detection and analysis of insider threat with high precision. The main work is as follows:This work abandons the traditional SIEM combined rules to determine the anomaly, but adopts the detection strategy of User and Entity Behavior Analysis (UEBA).This work proposes an improved LSTM-GaN insider threat detection algorithm.

Weiyu He,Xu Wu,Jingchen Wu,Xiaqing Xie,Lirong Qiu,Lijuan Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00089

2021-10-01

Abstract:Insider threat makes enterprises or organizations suffer from the loss of property and the negative influence of reputation. User behavior analysis is the mainstream method of insider threat detection, but due to the lack of fine-grained detection and the inability to effectively capture the behavior patterns of individual users, the accuracy and precision of detection are insufficient. To solve this problem, this paper designs an insider threat detection method based on user historical behavior and attention mechanism, including using Long Short Term Memory (LSTM) to extract user behavior sequence information, using Attention-based on user history behavior (ABUHB) learns the differences between different user behaviors, uses Bidirectional-LSTM (Bi-LSTM) to learn the evolution of different user behavior patterns, and finally realizes fine-grained user abnormal behavior detection. To evaluate the effectiveness of this method, experiments are conducted on the CMU-CERT Insider Threat Dataset. The experimental results show that the effectiveness of this method is 3.1% to 6.3% higher than that of other comparative model methods, and it can detect insider threats in different user behaviors with fine granularity.

Kexiong Fei,Jiang Zhou,Yucan Zhou,Xiaoyan Gu,Haihui Fan,Bo Li,Weiping Wang,Yong Chen

DOI: https://doi.org/10.1016/j.cose.2024.104126

IF: 5.105

2024-09-21

Computers & Security

Abstract:Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency. We propose LaAeb , a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including attention , emotion , and behavior anomaly . The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees' daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, LaAeb employs anomaly detection algorithm like Isolation Forest to analyze an employee's malicious operations, and further detects the employee's behavior anomaly by considering all employees' acts in the same department. Finally, LaAeb consolidates detection results of three patterns indicative of insider threats in a comprehensive manner. We implement the prototype of LaAeb and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, LaAeb reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC (0.93) , and gets the best AUC (0.97) with 0.06 higher value on LANL dataset.

computer science, information systems

Xi Xiangyu,Zhang Tong,Ye Wei,Wen Zhao,Zhang Shikun,Du Dongdong,Gao Qing

DOI: https://doi.org/10.1142/s0218194018400211

2018-01-01

Abstract:An intruder of a company’s network may use stolen login credentials to silently collect sensitive data. Such malicious user behavior is difficult to detect as long as it does not trigger access violation or data leak alert. In this paper, we propose to use an ensemble of three unsupervised anomaly detection algorithms, namely OCSVM, RNN and Isolation Forest, to detect abnormal user behavior patterns. Besides, an User Behavior Analytics (UBA) Platform is proposed to collect logs, extract features and conduct experiments. The experiment results indicate that our algorithm outperforms each individual algorithm with recall of 96.55% and precision of 91.24% on average, while both OCSVM and RNN suffer from anomalies in the training set, and [Formula: see text] produces more false positives and false negatives in prediction.

Kexiong Fei,Jiang Zhou,Lin Su,Weiping Wang,Yong Chen

DOI: https://doi.org/10.3233/jcs-230092

2024-04-24

Journal of Computer Security

Abstract:With the advancement of network security equipment, insider threats gradually replace external threats and become a critical contributing factor for cluster security threats. When detecting and combating insider threats, existing methods often concentrate on users’ behavior and analyze logs recording their operations in an information system. Traditional sequence-based method considers temporal relationships for user actions, but cannot represent complex logical relationships well between various entities and different behaviors. Current machine learning-based approaches, such as graph-based methods, can establish connections among log entries but have limitations in terms of complexity and identifying malicious behavior of user’s inherent intention. In this paper, we propose Log2Graph, a novel insider threat detection method based on graph convolution neural network. To achieve efficient anomaly detection, Log2Graph first retrieves logs and corresponding features from log files through feature extraction. Specifically, we use an auxiliary feature of anomaly index to describe the relationship between entities, such as users and hosts, instead of establishing complex connections between them. Second, these logs and features are augmented through a combination of oversampling and downsampling, to prepare for the next-stage supervised learning process. Third, we use three elaborated rules to construct the graph of each user by connecting the logs according to chronological and logical relationships. At last, the dedicated built graph convolution neural network is used to detect insider threats. Our validation and extensive evaluation results confirm that Log2Graph can greatly improve the performance of insider threat detection compared to existing state-of-the-art methods.

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pratik Chattopadhyay,Lipo Wang,Yap-Peng Tan

DOI: https://doi.org/10.1109/tcss.2018.2857473

2018-09-01

IEEE Transactions on Computational Social Systems

Abstract:An insider threat scenario refers to the outcome of a set of malicious activities caused by intentional or unintentional misuse of the organization’s systems, networks, data, and resources. Prevention of insider threat is difficult, since trusted partners of the organization are involved in it, who have authorized access to these confidential/sensitive resources. The state-of-the-art research on insider threat detection mostly focuses on developing unsupervised behavioral anomaly detection techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. As an improvement to the existing approaches, we propose a technique for insider threat detection from time-series classification of user activities. Initially, a set of single-day features is computed from the user activity logs. A time-series feature vector is next constructed from the statistics of each single-day feature over a period of time. The label of each time-series feature vector (whether malicious or nonmalicious) is extracted from the ground truth. To classify the imbalanced ground-truth insider threat data consisting of only a small number of malicious instances, we employ a cost-sensitive data adjustment technique that undersamples the nonmalicious class instances randomly. As a classifier, we employ a two-layered deep autoencoder neural network and compare its performance with other popularly used classifiers: random forest and multilayer perceptron. Encouraging results are obtained by evaluating our approach using the CMU Insider Threat Data, which is the only publicly available insider threat data set consisting of about 14-GB web-browsing logs, along with logon, device connection, file transfer, and e-mail log files. We observe that both deep autoencoder and random forest classifiers classify the data-adjusted time-series feature set with high precision, recall, and f-score. Although multilayer perceptron has a high recall, it suffers from a lower precision and f-score compared to the other two classifiers.

Linghui Li,Yali Gao,Xiaoyong Li,Shui Yu,Jie Yuan,Ximing Li,Jia Jia

DOI: https://doi.org/10.1109/TIFS.2023.3245413

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Insider threat is destructive and concealable, making addressing it a challenging task in cybersecurity. Most existing methods transform user behavior into sequential information and analyze user behavior while neglecting structural information among users, resulting in high false positives. To solve this problem, in this paper, we propose Dual-Domain Graph Convolutional Network (referred to as DD-GCN), a graph-based modularized method for high accuracy and adaptive insider threat detection. The central idea is to convert user features and structural information into heterogeneous graphs in the light of various relationships and take user behavior and relationship into account together. To this end, a weighted feature similarity mechanism is applied to balance the feature similarity of users and original linkages among them so as to generate the fused structure. Next, specific graph embeddings are extracted from the original topology structure and fused structure simultaneously, which convert behavior information into high-level representations. Furthermore, an attention mechanism is applied to learn the adaptive importance weights of the user’s features in the corresponding embedding. The combination and difference constraints are proposed to enhance the learned embeddings’ commonality and the ability to capture different information. Extensive experiments on two real-world datasets clearly show that our proposed DD-GCN extracts the most correlated information from structural topology and feature information substantially, and achieves improved accuracy with a clear margin.

Computer Science

Preetam Pal,Pratik Chattopadhyay,Mayank Swarnkar

DOI: https://doi.org/10.1016/j.eswa.2023.119925

IF: 8.5

2023-03-23

Expert Systems with Applications

Abstract:Nowadays, insider attacks are emerging as one of the top cybersecurity threats. However, the detection of insider threats is a more arduous task for many reasons. A significant cause is the availability of various data types related to insider activities and their possible behavioral drift. Another major reason is that threat activities rarely happen within any organizational environment and usually remain submerged within a massive amount of normal activities thereby creating data imbalance issues. Any insider threat event requires three major components to get materialized: proper motivation, suitable opportunity and a minimum skill set. The simultaneous occurrence of all these elements is rarely found in organizational environment compared to regular activity traits, and the data imbalance thus caused makes accurate detection of threat activities quite challenging. Existing insider threat detection techniques are mainly divided into statistical rule-based, machine learning-based, and deep learning-based methods. Although recent deep learning methods have been found to extract intrinsic behavioral properties from users' activity patterns more effectively than traditional rule-based and machine-learning methods by utilizing their multilayer architecture. But sporadic approaches prioritize critical sections of activity patterns in their detection scheme. Also, rare methods focused on taking advantage of multiple deep learning-based feature extraction models together in their detection scheme. Finally, rare methods have adequately focused on data imbalance issues, especially over the unequal proportion of different categories of threat instances. In this paper, we proposed an insider threat detection approach using an ensemble of stacked-LSTM and stacked-GRU-based attention models. Our models are first trained on the user's single-day sequential activity logs. Then a stacked ensemble of trained attention models is used to extract the user's single-day activity information in the form of the feature vector, which is finally used for classification. To address the data imbalance issues, we propose a new equally-weighted random sampling approach for balancing the population of the different categories of threat patterns. We randomly undersample the nonmalicious instances followed by random oversampling of the different categories of threat instances in an equally-weighted manner so that the training models can learn the behavioral characteristics of the different types of insider activity instances without getting biased towards any particular type, which is a major limitation of random oversampling and random undersampling-based techniques. Experiments have been performed on the different versions of the CMU CERT insider threat datasets. For robust evaluation, stratified division-based train-test sets have been used based on different categories of insider activities. An average AUC of 0.99 on CMU CERT v4.2 and v5.2 datasets and 0.97 on its v6.2 dataset shows the robustness of the proposed approach in detecting insider threats.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Krishna C. Roy,Guenevere Chen

DOI: https://doi.org/10.1109/tdsc.2024.3353929

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Insider threat is one of the most damaging cyber attacks that could cause the loss of intellectual property and enterprise data security breaches. Action sequence data such as host logs are used to investigate such threats and develop anomaly-based AI detectors. However, insider threat actions are similar to legitimate user activities, causing AI detectors to fail and suffer from high false alarm rates. Therefore, user cyber activity logs are inadequate to fully unfold insider threats. In this study, we adopt human psychological principles of risk-taking and impulsiveness along with host data to assess the influence and usefulness of human behavioral aspects in insider threat detection. We hypothesize that individuals' impulsive and risk-taking behavior correlates with cyberspace activities. To validate our hypothesis, we conducted an IRB-approved study recruiting 35 participants who work in a large U.S. university and collected their cyber and psychological data for 90 days. Host and human-behavioral data analysis and mapping indicate that impulsive and risk-taking users trigger more system errors causing (un)intentional insider threats and are susceptible to attackers' social engineering and cognitive hacking. Utilizing cyber-human aspects, we introduce a Cyber-Human Graph Neural Network (GNN) based framework GraphCH to identify abnormal user behaviors and detect insider threats.

computer science, information systems, software engineering, hardware & architecture

Weiping Wang,Yongyi Chen,Lin Su,Jiang Zhou,Fan Zhang,Kexiong Fei

DOI: https://doi.org/10.1109/ISPA-BDCloud-SocialCom-SustainCom57177.2022.00016

2022-12-01

Abstract:In this research, we propose Log2Graph, a new insider threat detection method based on graph convolution neural network (GCN). This method first retrieves the corresponding logs and features from log files through feature extraction. Specifically, we use an auxiliary feature of anomaly index to describe relationship between entities, such as users and hosts, instead of establish complex connections between them. Second, these logs and features are augmented through a combination of oversampling and downsampling, to prepare for the next-stage supervised learning process. Third, we use three elaborated rules to construct the graph of each user by connecting the logs according to chronological and logical relationship. At last, the graph convolution neural network constructed is used to detect insider threats. Our validation and evaluation results confirm that Log2Graph can greatly improve the performance of detecting insider threats compared against baseline and existing methods.

Computer Science

Dongyang Li,Lin Yang,Hongguang Zhang,Xiaolei Wang,Linru Ma,and Junchao Xiao

DOI: https://doi.org/1093.17232.037c012e-a15b-428e-995b-dc7af8a4bee1.1631665864

IF: 1.968

2021-09-15

Security and Communication Networks

Abstract:Insider threat detection has been a challenging task over decades; existing approaches generally employ the traditional generative unsupervised learning methods to produce normal user behavior model and detect significant deviations as anomalies. However, such approaches are insufficient in precision and computational complexity. In this paper, we propose a novel insider threat detection method, Image-based Insider Threat Detector via Geometric Transformation (IGT), which converts the unsupervised anomaly detection into supervised image classification task, and therefore the performance can be boosted via computer vision techniques. To illustrate, our IGT uses a novel image-based feature representation of user behavior by transforming audit logs into grayscale images. By applying multiple geometric transformations on these behavior grayscale images, IGT constructs a self-labelled dataset and then trains a behavior classifier to detect anomaly in a self-supervised manner. The motivation behind our proposed method is that images converted from normal behavior data may contain unique latent features which remain unchanged after geometric transformation, while malicious ones cannot. Experimental results on CERT dataset show that IGT outperforms the classical autoencoder-based unsupervised insider threat detection approaches, and improves the instance and user based Area under the Receiver Operating Characteristic Curve (AUROC) by 4% and 2%, respectively.

computer science, information systems,telecommunications

Jiajun Zhou,Jiacheng Yao,Xuanze Chen,Shanqing Yu,Qi Xuan,Xiaoniu Yang

2024-11-15

Abstract:Lateral movement is a crucial component of advanced persistent threat (APT) attacks in networks. Attackers exploit security vulnerabilities in internal networks or IoT devices, expanding their control after initial infiltration to steal sensitive data or carry out other malicious activities, posing a serious threat to system security. Existing research suggests that attackers generally employ seemingly unrelated operations to mask their malicious intentions, thereby evading existing lateral movement detection methods and hiding their intrusion traces. In this regard, we analyze host authentication log data from a graph perspective and propose a multi-scale lateral movement detection framework called LMDetect. The main workflow of this framework proceeds as follows: 1) Construct a heterogeneous multigraph from host authentication log data to strengthen the correlations among internal system entities; 2) Design a time-aware subgraph generator to extract subgraphs centered on authentication events from the heterogeneous authentication multigraph; 3) Design a multi-scale attention encoder that leverages both local and global attention to capture hidden anomalous behavior patterns in the authentication subgraphs, thereby achieving lateral movement detection. Extensive experiments on two real-world authentication log datasets demonstrate the effectiveness and superiority of our framework in detecting lateral movement behaviors.

Cryptography and Security,Artificial Intelligence

Dongxue Zhang,Yang Zheng,Yu Wen,Yujue Xu,Jingchuo Wang,Yang Yu,Dan Meng

DOI: https://doi.org/10.1145/3267494.3267495

2018-01-01

Abstract:Insider threats have shown their great destructive power in information security and financial stability and have received widespread attention from governments and organizations. Traditional intrusion detection systems fail to be effective in insider attacks due to the lack of extensive knowledge for insider behavior patterns. Instead, a more sophisticated method is required to have a deeper understanding for activities that insiders communicate with the information system. In this paper, we design a classifier, a neural network model utilizing Long Short Term Memory (LSTM) to model user log as a natural language sequence and achieve role-based classification. LSTM Model can learn behavior patterns of different users by automatically extracting feature and detect anomalies when log patterns deviate from the trained model. To illustrate the effective of classification model, we design two experiments based on cmu dataset. Experimental evaluations have shown that our model can successfully distinguish different behavior pattern and detect malicious behavior.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Anagi Gamachchi,Serdar Boztas

DOI: https://doi.org/10.48550/arXiv.1809.00231

2018-09-02

Abstract:While most organizations continue to invest in traditional network defences, a formidable security challenge has been brewing within their own boundaries. Malicious insiders with privileged access in the guise of a trusted source have carried out many attacks causing far-reaching damage to financial stability, national security and brand reputation for both public and private sector organizations. Growing exposure and impact of the whistleblower community and concerns about job security with changing organizational dynamics has further aggravated this situation. The unpredictability of malicious attackers, as well as the complexity of malicious actions, necessitates the careful analysis of network, system and user parameters correlated with the insider threat problem. Thus it creates a high dimensional, heterogeneous data analysis problem in isolating suspicious users. This research work proposes an insider threat detection framework, which utilizes the attributed graph clustering techniques and outlier ranking mechanism for enterprise users. Empirical results also confirm the effectiveness of the method by achieving the best area under the curve value of 0.7648 for the receiver operating characteristic curve.

Cryptography and Security,Social and Information Networks

You Chen,Steve Nyemba,Wen Zhang,Bradley Malin

DOI: https://doi.org/10.1186/2190-8532-1-5

2012-02-27

Abstract:Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks in complex distributed environments. For flexibility, they provide users with broad access privileges, which, as a side-effect, leave such systems vulnerable to various attacks. Some of the more damaging malicious activities stem from internal misuse, where users are authorized to access system resources. A promising class of insider threat detection models for CIS focuses on mining access patterns from audit logs, however, current models are limited in that they assume organizations have significant resources to generate label cases for training classifiers or assume the user has committed a large number of actions that deviate from "normal" behavior. In lieu of the previous assumptions, we introduce an approach that detects when specific actions of an insider deviate from expectation in the context of collaborative behavior. Specifically, in this paper, we introduce a specialized network anomaly detection model, or SNAD, to detect such events. This approach assesses the extent to which a user influences the similarity of the group of users that access a particular record in the CIS. From a theoretical perspective, we show that the proposed model is appropriate for detecting insider actions in dynamic collaborative systems. From an empirical perspective, we perform an extensive evaluation of SNAD with the access logs of two distinct environments: the patient record access logs a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,394,385 revisors, 55,200 articles and 6,482,780 revisions). We compare our model with several competing methods and demonstrate SNAD is significantly more effective: on average it achieves 20-30% greater area under an ROC curve.

R G Gayathri,Atul Sajjanhar,Yong Xiang,Xingjun Ma

DOI: https://doi.org/10.48550/arXiv.2102.07277

2021-07-08

Abstract:Insider threats are the cyber attacks from within the trusted entities of an organization. Lack of real-world data and issue of data imbalance leave insider threat analysis an understudied research area. To mitigate the effect of skewed class distribution and prove the potential of multinomial classification algorithms for insider threat detection, we propose an approach that combines generative model with supervised learning to perform multi-class classification using deep learning. The generative adversarial network (GAN) based insider detection model introduces Conditional Generative Adversarial Network (CGAN) to enrich minority class samples to provide data for multi-class anomaly detection. The comprehensive experiments performed on the benchmark dataset demonstrates the effectiveness of introducing GAN derived synthetic data and the capability of multi-class anomaly detection in insider activity analysis. Moreover, the method is compared with other existing methods against different parameters and performance metrics.

Cryptography and Security,Artificial Intelligence,Neural and Evolutionary Computing

Yong Li,Zhongying Zhang,Jingpeng Wu,Qiang Zhang

DOI: https://doi.org/10.1007/978-981-16-9709-8_18

IF: 4.426

2022-01-01

Big Data

Abstract:Network security is not only related to social stability, but also an important guarantee for the digital intelligent society. However, in recent years, problems such as user account theft and information leakage have occurred frequently, which has greatly affected the security of users’ personal information and the public interest. Based on the massive user click behavior data and graph embedding technology, this paper proposes the Graph2Usersim (Gp2-US) to analyze the similarity between the user’s historical behavior characteristics and online behavior characteristics to accurately identify the user’s identity, and then distinguish the user’s abnormal online behavior. To be specific, firstly, based on the empirical click-stream data, the user’s historical behavior and online behavior are modeled as two attention flow networks respectively. Secondly, based on the Graph2vec method and drawing on the theory of molecular fingerprinting, the nodes of the attention flow network are characterized as atoms, and edges are characterized as chemical bonds, and the network is simplified using the structural features of compounds to generate feature vectors that can identify users’ historical and online behaviors. Finally, the behavior similarity algorithm Gp2-US proposed in this paper is used to accurately identify users. A large number of experiments show that the accuracy of the algorithm Gp2-US is much higher than that of the traditional algorithm. Based on 10 days of historical user behavior data, it can accurately identify its identity characteristics and accurately determine abnormal account behavior. The research conclusions of this paper have important theoretical value and practical significance in inferring abnormal user behaviors and monitoring public opinion.

computer science, theory & methods, interdisciplinary applications