Liu Liu, Chao Chen, Jinchao Zhang, O. De Vel, Yang Xiang
{"title":"Doc2vec-based Insider Threat Detection through Behaviour Analysis of Multi-source Security Logs","authors":"Liu Liu, Chao Chen, Jinchao Zhang, O. De Vel, Yang Xiang","doi":"10.1109/TrustCom50675.2020.00050","DOIUrl":null,"url":null,"abstract":"Since insider attacks have been recognised as one of the most critical cyber security threats to an organisation, detection of malicious insiders has received increasing attention in recent years. Previously, we proposed an approach that performs the detection by analysing various security logs with Word2vec, which not only removes the reliance on prior knowledge but also greatly simplifies the process of decision making and improves the interpretability of the alerts. In this paper, following the similar idea, a new Doc2vec based approach is proposed to overcome the previous approach's limitations: (1) the behaviour metrics can be acquired straightforwardly due to the Doc2vec's capability in inferring unseen texts of any length; (2) other than the temporal metrics, some spatial metrics can also be realised, providing a more comprehensive insight into the unusual behaviours; and (3) a range of corpora are produced by adopting different keywords to aggregate, each of which may be suited to a specific type of behaviour metrics. A large number of numerical experiments are conducted using the same benchmark insider threat database, for the purpose of testing how the corpora, metrics and training parameters impact on the performance and be related to each other. The experiments demonstrate that the proposed approach can achieve a similar performance with greater simplicity and flexibility.","PeriodicalId":221956,"journal":{"name":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/TrustCom50675.2020.00050","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
Since insider attacks have been recognised as one of the most critical cyber security threats to an organisation, detection of malicious insiders has received increasing attention in recent years. Previously, we proposed an approach that performs the detection by analysing various security logs with Word2vec, which not only removes the reliance on prior knowledge but also greatly simplifies the process of decision making and improves the interpretability of the alerts. In this paper, following the similar idea, a new Doc2vec based approach is proposed to overcome the previous approach's limitations: (1) the behaviour metrics can be acquired straightforwardly due to the Doc2vec's capability in inferring unseen texts of any length; (2) other than the temporal metrics, some spatial metrics can also be realised, providing a more comprehensive insight into the unusual behaviours; and (3) a range of corpora are produced by adopting different keywords to aggregate, each of which may be suited to a specific type of behaviour metrics. A large number of numerical experiments are conducted using the same benchmark insider threat database, for the purpose of testing how the corpora, metrics and training parameters impact on the performance and be related to each other. The experiments demonstrate that the proposed approach can achieve a similar performance with greater simplicity and flexibility.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
