Research And Technical Implementation Of Insider Threat Detection Based On Graph Representation Learning

In recent years,insider threat incidents have become increasingly common,leading to problems such as information leakage,property loss,and reputation damage for businesses and individuals.With the accelerated progress of digital transformation,enterprises are becoming more and more dependent on data,and a large amount of sensitive information and core resources are stored in digital systems.The internal network environment is becoming more complex,and the challenges of insider threats faced by enterprises are becoming more severe.Therefore,improving the capability of insider threat detection technology is of great significance in helping organizations protect internal data and effectively prevent major risks.Despite numerous research achievements,there are still some shortcomings: on the one hand,models that learn behavior sequences have significantly improved the performance of insider threat detection,but they overlook the similarity of user behavior across multiple days.On the other hand,many studies focus only on the analysis of a single data source or data type,failing to make full use of multi-source context information,resulting in information waste.To address these issues,this thesis mainly carries out the following three tasks:(1)This thesis proposes an insider threat detection method based on behavioral attribute graphs.This method fully mines the temporal logic between single-day user behaviors and the similarity of user behavior patterns across multiple days.Firstly,a behavioral attribute graph is constructed based on multi-source heterogeneous behavior log data.Then,the graph representation learning method is used to simultaneously learn the structural information and attribute information of the nodes in the graph,generating representations containing both types of information.Subsequently,an attention-based Long Short-Term Memory model is employed to learn user session representations,extract key information,and detect threatening user sessions.During the model training process,the impact of sample imbalance is fully considered,and negative sampling and weight allocation strategies are adopted to mitigate the impact of sample imbalance on the results.Experimental results show that the proposed method’s performance is comparable to cutting-edge research.(2)This thesis proposes a comprehensive behavioral assessment method based on multifeature fusion.By improving the method based on behavioral attribute graphs from both feature-level fusion and decision-level fusion perspectives,this method fully utilizes user role features,psychological features,and user session statistical features,and integrates the prediction results of multiple base learners using the Stacking method,effectively balancing the strengths and weaknesses of multiple models and improving the overall model recall.(3)Focusing on the proposed detection algorithm and addressing the practical needs of enterprise internal security management,this thesis designs and implements a prototype system for insider threat detection.This study completes the overall design of the system,including front-end and back-end technology selection,system architecture,etc.,and designs important functional modules one by one,including data acquisition and storage,insider threat detection and early warning,and model evaluation and update modules’ corresponding schemes.