Research On Security Situation Awareness Technology Based On User Entity Behavior

With the rapid development of the new digital era,the network environment presents a trend of complexity and diversification.The resulting insider threat issues and external intrusion risks cannot be ignored,and today’s network security protection work is also facing more challenges due to these risk issues.At present,the existing insider threat detection methods mainly have the following shortcomings: the dimension referenced by user behavior data features is too simple,lack of research on the correlation between data of various dimensions,and the detection accuracy is not high.The existing external intrusion detection methods mainly have the following shortcomings: only studying the intrusion event itself,cannot cope with other new types of intrusion events,and the detection accuracy of some intrusion events is low.In order to adapt to the complex trend of security risks inside and outside the system in the new era.Based on the idea of user entity behavior analysis and security situation awareness,this paper mainly carries out related research work from the following three parts.(1)The user behavior is taken as the research object and an insider threat detection method based on Bi LSTM(Bidirectional Long Short Term Memory)-DNN(Deep Neural Network)hybrid model is proposed.In this method,the multi-dimensional behavior data of users are mainly focused.Using feature extraction methods,user behavior characteristics are used to describe the behavior of each dimension,the characteristics of behavior sequences are used to describe the correlation between users’ behaviors in various dimensions,and describe the common behavior of users with the characteristics of user roles.Fully extract effective features in user behavior from multiple angles.Finally,the comprehensive decision is made by the deviation between the prediction characteristics and the test data characteristics.This method can not only solve the limitations of user feature extraction,but also improve the AUC score of the model.(2)The entity behavior is taken as the research object and an external intrusion detection method based on VAE(Variational Autoencoder)-DNN(Deep Neural Network)architecture is proposed.In this method,Feature selection method based on Pearson correlation coefficient is used to extract effective features.The comprehensive sampling method combining SMOTE algorithm and RUS algorithm is used to balance the data distribution.The intrusion detection module and intrusion classification module are used to deal with many kinds of intrusion events,the classification of intrusion events is more detailed,and shows high intrusion detection and classification performance.(3)Combined with the user entity behavior analysis technology,a security situation awareness system is designed and implemented.To achieve comprehensive security risk monitoring of insider and external network environments,insider threat detection methods and external intrusion detection method are applied to the system.Provide data management,model management,threat(intrusion)monitor and other related function modules to achieve the management and control of the insider and external comprehensive security situation of the system.