Research On Identity Theft Attack Detection Technology Based On User Behavior

Identity theft attack means that attackers use various methods to steal or defraud user certificates and use certificates to move across the network to invade more computers and implement malicious actions.Due to there is indiscriminate between the certificate used by the attacker and the legal certificate,the traditional access control and authorization system is difficult to effectively prevent the attacker illegally using and stealing information,and the traditional intrusion detection system is difficult to effectively find.How to solve the network security problems is one of the focuses of the academic community.In recent years,researchers have proposed detection methods from the user's authentication behavior and operation behavior,but these solutions still have many problems:1)based on the detection of the authentication behavior,it is difficult to extract features due to the low dimension of data,resulting in a low detection recall rate;2)based on the detection of operation behavior,it is difficult to completely describe the user profile due to the inability to handle the sequence relationship between the behaviors,resulting in low detection accuracy;3)most detection methods use a single behavior model,which can't be fully detected,which makes the false negative rate and false positive rate higher.In view of the above problems,based on the authentication and operational behavior data,and the target of the difference between the attacker and the normal user behavior is mined.The research results obtained are as follows:1.Aiming at the first problem,this paper proposes a detection method of abnormal authentication behavior based on Word2 vec and density clustering.First,in the existing public data set,mining the difference between the attacker and user behavior,and extracting the representative features.Then use the Word2 vec algorithm to convert the differences into numerical features and build feature vectors.Finally,the feature vector is clustered based on the density clustering algorithm to detect abnormal authentication behavior.Experiments have shown that this method has a high recall rate.2.Aiming at the second problem,this paper proposes an LSTM-based abnormal behavior detection method.This method analyzes the sequence relationship between the behaviors,defines the behavior pattern,and mines the difference between the attacker and the user.On this basis,the original data is processed into feature data,and then the LSTM network is used to learn the feature data to predict the next behavior.Eventually abnormal operation behavior is detected by calculating the probability difference.Experiments have shown that this detection method is significantly better than previous methods.3.Aiming at the third problem,this paper proposes a certificate abuse detection system based on multiple behaviors.The system combines the above two detection methods together to detect certificate abuse attacks.The system mainly includes five modules.Misuse detection and anomaly detection are combined in the detection module to synthesize multiple behavioral models to detect certificate abuse.Experiments have shown that the system can detect certificate abuse quickly and accurately.4.In addition to the above research results,this paper also proposes the use of authentication graph to evaluate the risk of network,and the vulnerability of user certificates.By analyzing the authentication relationship between the user and the computer,the network and the user are respectively established with different structure authentication graph to assess the network risk and certificate vulnerability.Find a relatively safe network state and certificates that are easily used by attackers,thereby improving network security,reduce attack hazards.