Research On Insider Threat Detection Based On Optimized Machine Learning Methods

With the rapid development of science and technology in today’s world,insider threats,as a major hidden danger,seriously jeopardize the data security within an organization.By leveraging internal compliance authority,members within an organization can intentionally leak internal privacy to the outside world or tamper with internal data,exposing the organization to a broken ring.These anomalous behaviors that pose a violation to the internal security of the organization are increasing day by day.In order to achieve the purpose of effective detection of anomalous behaviors inside the organization,this paper gives a design scheme of insider threat behavior detection based on optimized machine learning methods for the behavior of people inside the organization.The main research work includes:(1)A new particle swarm optimization algorithm with Markov jumps(MJPSO)is proposed.Firstly,the evolutionary state is divided by evaluating the evolutionary factors of each generation;based on a Markov chain,the inertia weight parameters and acceleration coefficients in the model are adaptively adjusted to reduce the complexity of repeatedly calculating the inertia weights in each iteration and improve the global search and local search capability of the particle swarm algorithm.Secondly,the stochastic stability of the proposed MJPSO algorithm for particle dynamics is analyzed,and sufficient conditions for stochastic stability are derived based on the linear matrix inequality(LMI)by introducing the framework of the discrete-time Markov jump Lur’e system.Finally,the stochastic stability of the MJPSO algorithm is verified by simulation experiments.And on some widely used benchmark functions,the MJPSO algorithm is shown to have some advantages in convergence accuracy,speed and stability by comparing with some popular PSO variants.(2)An insider threat behavior detection scheme based on Random Forest(RF)method with parameter optimization is given,and an insider suspicious behavior anomaly detection framework is designed.Firstly,we select the CERT-IT(r6.2)dataset,pre-process the employee behavior data,extract single-domain features and fuse multi-domain features with "days" as the time window.Secondly,the behavioral features are filtered to eliminate the multicollinearity features to enhance the interpretability of the model and reduce the generalization error.Again,the parameters of the RF method are optimized using the designed MJPSO algorithm,and the internal behavioral anomaly detection model is established based on the MJPSO algorithm optimized RF method(Markov Jumping Particle Swarm Optimizer-Random Forest,MJPSO-RF).Finally,the effectiveness of the designed insider threat behavior detection model MJPSO-RF is verified by comparison tests with the RF method based on PSO parameter optimization and the SVM model.(3)Based on the constructed insider threat detection model,an optimization scheme for threat behavior detection with hybrid unsupervised clustering is developed.First,based on the behavior dataset that has been feature selected,the normal behavior patterns of employees in the organization are grouped using K-means(K-means)unsupervised clustering,and the MJPSO-RF insider threat detection model is built separately on each class.Second,the detection models are compared for grouping employee behaviors by role.Finally,the reasonableness and effectiveness of the hybrid unsupervised clustering for threat detection optimization scheme are verified through comparison experiments.