Fengrui Xiao;Shuangwu Chen;Siyang Chen;Yuanyi Ma;Huasen He;Jian Yang
{"title":"哨兵:基于多时间尺度用户行为交互图学习的内部威胁检测","authors":"Fengrui Xiao;Shuangwu Chen;Siyang Chen;Yuanyi Ma;Huasen He;Jian Yang","doi":"10.1109/TNSE.2024.3519155","DOIUrl":null,"url":null,"abstract":"Insider threats have become a prominent driver behind a myriad of cybersecurity incidents in recent years. Since the threats take place within intranet, traditional security devices located at the network perimeter can hardly detect them. The trust management methods employed within the organization are likewise incapable of intercepting access actions already authenticated with valid credentials. In this paper, we propose a novel insider threat detection method named SENTINEL, which identifies abnormal behavior of insiders and provides fine-grained threat intelligence. We devise a dynamic user behavior interaction graph (BIG), which jointly considers the spatial distribution of user behavioral trajectories among the network topology and the temporal variations of user behavioral profiles. By incorporating a spatio-temporal graph neural network, SENTINEL is able to learn the operation regularities of users at specific times and respective positions in BIG. In order to perceive both the abrupt and persistent threats simultaneously, we conceive a multi-timescale fusion mechanism for detecting users' activities at different timescales. SENTINEL implements a log-entry-level detection without requiring any attack samples during model training. The experiments conducted on widely-used public datasets demonstrate that SENTINEL achieves superior performance while maintaining a relatively low computational overhead compared to the state-of-the-art methods.","PeriodicalId":54229,"journal":{"name":"IEEE Transactions on Network Science and Engineering","volume":"12 2","pages":"774-790"},"PeriodicalIF":7.9000,"publicationDate":"2024-12-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"SENTINEL: Insider Threat Detection Based on Multi-Timescale User Behavior Interaction Graph Learning\",\"authors\":\"Fengrui Xiao;Shuangwu Chen;Siyang Chen;Yuanyi Ma;Huasen He;Jian Yang\",\"doi\":\"10.1109/TNSE.2024.3519155\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Insider threats have become a prominent driver behind a myriad of cybersecurity incidents in recent years. Since the threats take place within intranet, traditional security devices located at the network perimeter can hardly detect them. The trust management methods employed within the organization are likewise incapable of intercepting access actions already authenticated with valid credentials. In this paper, we propose a novel insider threat detection method named SENTINEL, which identifies abnormal behavior of insiders and provides fine-grained threat intelligence. We devise a dynamic user behavior interaction graph (BIG), which jointly considers the spatial distribution of user behavioral trajectories among the network topology and the temporal variations of user behavioral profiles. By incorporating a spatio-temporal graph neural network, SENTINEL is able to learn the operation regularities of users at specific times and respective positions in BIG. In order to perceive both the abrupt and persistent threats simultaneously, we conceive a multi-timescale fusion mechanism for detecting users' activities at different timescales. SENTINEL implements a log-entry-level detection without requiring any attack samples during model training. The experiments conducted on widely-used public datasets demonstrate that SENTINEL achieves superior performance while maintaining a relatively low computational overhead compared to the state-of-the-art methods.\",\"PeriodicalId\":54229,\"journal\":{\"name\":\"IEEE Transactions on Network Science and Engineering\",\"volume\":\"12 2\",\"pages\":\"774-790\"},\"PeriodicalIF\":7.9000,\"publicationDate\":\"2024-12-17\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IEEE Transactions on Network Science and Engineering\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://ieeexplore.ieee.org/document/10804674/\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"ENGINEERING, MULTIDISCIPLINARY\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Network Science and Engineering","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10804674/","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"ENGINEERING, MULTIDISCIPLINARY","Score":null,"Total":0}
SENTINEL: Insider Threat Detection Based on Multi-Timescale User Behavior Interaction Graph Learning
Insider threats have become a prominent driver behind a myriad of cybersecurity incidents in recent years. Since the threats take place within intranet, traditional security devices located at the network perimeter can hardly detect them. The trust management methods employed within the organization are likewise incapable of intercepting access actions already authenticated with valid credentials. In this paper, we propose a novel insider threat detection method named SENTINEL, which identifies abnormal behavior of insiders and provides fine-grained threat intelligence. We devise a dynamic user behavior interaction graph (BIG), which jointly considers the spatial distribution of user behavioral trajectories among the network topology and the temporal variations of user behavioral profiles. By incorporating a spatio-temporal graph neural network, SENTINEL is able to learn the operation regularities of users at specific times and respective positions in BIG. In order to perceive both the abrupt and persistent threats simultaneously, we conceive a multi-timescale fusion mechanism for detecting users' activities at different timescales. SENTINEL implements a log-entry-level detection without requiring any attack samples during model training. The experiments conducted on widely-used public datasets demonstrate that SENTINEL achieves superior performance while maintaining a relatively low computational overhead compared to the state-of-the-art methods.
期刊介绍:
The proposed journal, called the IEEE Transactions on Network Science and Engineering (TNSE), is committed to timely publishing of peer-reviewed technical articles that deal with the theory and applications of network science and the interconnections among the elements in a system that form a network. In particular, the IEEE Transactions on Network Science and Engineering publishes articles on understanding, prediction, and control of structures and behaviors of networks at the fundamental level. The types of networks covered include physical or engineered networks, information networks, biological networks, semantic networks, economic networks, social networks, and ecological networks. Aimed at discovering common principles that govern network structures, network functionalities and behaviors of networks, the journal seeks articles on understanding, prediction, and control of structures and behaviors of networks. Another trans-disciplinary focus of the IEEE Transactions on Network Science and Engineering is the interactions between and co-evolution of different genres of networks.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
