Research And Implementation Of Threat Assessment Technology Based On Behavior Sequence

With the acceleration of the information-based office process,internal network security issues have become increasingly serious.The traditional external defense system is difficult to deal with low-frequency,high concealment,variability and high-risk internal threats.In order to improve the security of the internal network,the anomaly detection technology based on the internal network has begun to receive widespread attention.And how to effectively construct the tested sequence and how to reasonably interpret the detection results to ensure the efficiency,accuracy and interpretability of the detection are the basic and key issues in the current research on internal network anomaly detection.The main difficulties are:(1)lack of research.(2)Abnormal behavior is few and changeable.(3)Unexplainable test results.Aiming at the above problems,this thesis studies how to detect abnormal behaviors in internal network scenarios and how to provide detection results based on the characteristics of each heterogeneous data itself,as well as models and algorithm theories such as neural networks,natural language processing,and model interpretation.The interpretable results for reference provide a new idea for the design of anomaly detection schemes in the internal network,and give complete experimental results.The main work and innovations of this thesis are as follows:(1)A user behavior sequence modeling method based on heterogeneous data is proposed.In the internal network scenario,this modeling method adaptively processes various heterogeneous data,starting from the time and frequency of the behavior,the subject's deviation from the content of the behavior,and user relationships.It solves the lack of behavior type coverage and low accuracy.The problem.(2)An interpretable threat assessment model is proposed.A dimension reduction algorithm based on self-encoding is used to reduce the dimension of high-dimensional sequences,which solves the problem of huge time overhead of the model for detecting high-dimensional data.At the same time,the model interpretable algorithm is designed by using the idea of model interpretability and the back propagation characteristics of neural networks,which solves the problem of uninterpretable detection results.The feasibility and effectiveness of the above algorithm are proved through experiments.(3)On the basis of a laboratory project,a multi-center big data joint analysis system based on in-situ computing,the above two algorithms are combined to design and develop an internal cyber threat detection system.The functions and functions of each module are explained in detail,and an intuitive visual display interface is designed for each submodule.The tests show that the method and model proposed in this thesis have good application prospect and value.