基于动态图的内部威胁检测模型

贾凡; 王文莹; 王一芃

doi:10.16511/j.cnki.qhdxxb.2025.27.017

PDF(3150 KB)

清华大学学报（自然科学版） ›› 2025, Vol. 65 ›› Issue (8) : 1541-1551. DOI: 10.16511/j.cnki.qhdxxb.2025.27.017

计算机科学与技术

基于动态图的内部威胁检测模型

贾凡 ¹ ,
王文莹 ¹ ,
王一芃 ²

作者信息 +

A dynamic graph-based insider threat detection model

Author information +

文章历史 +

摘要

由于安全事件频发和数据泄露风险增加，内部威胁检测引起了学术界和工业界的广泛关注。现有方法通过分析用户操作日志以识别异常行为，但容易忽略用户间的关系和行为模式随时间的演变，且普遍存在数据不均衡问题，影响了模型的性能。针对这些挑战，该文提出了基于动态自注意力深度神经网络(dynamic self-attention deep neural network)的内部威胁检测模型(DySAT_DNN模型)，该模型采用结构自注意层和时序自注意层，在结构自注意层中，利用注意力机制对单一时间点的相邻信息进行聚合；在时序自注意层中，跨越多个时间点捕获用户行为的动态变化。基于CERT R4.2数据集开展验证实验，证明了该模型在内部威胁检测任务上的性能优于传统分类器模型。为了应对数据不均衡问题，该文探索并找到有效的采样策略以平衡正负样本比例。实验结果显示，与当前基线模型相比，DySAT_DNN模型在召回率和曲线下面积(AUC)等关键指标上表现出色，以此验证了其在内部威胁检测中的有效性和优越性。

Abstract

Objective: Modern information systems have become an essential part of enterprise operations. However, these systems are often vulnerable to insider attacks, resulting in frequent security incidents and a heightened risk of data breaches. This has sparked significant interest in insider threat detection among researchers and industry professionals. Existing studies mainly focus on analyzing user activity logs but often overlook the evolving relationships and behavioral patterns among users over time. Furthermore, the common issue of data imbalance affects model performance. Methods: To address these challenges, this study proposes an insider threat detection model called the DySAT_DNN model, which leverages a dynamic self-attention deep neural network. First, the model uses the CERT R4.2 user behavior log dataset, comprising user behavior logs and organization information. Second, the multisource data is preprocessed by aggregating it on a weekly level to extract numerical features of user behaviors, supported by three key rules designed to construct graph structures. Dynamic graph feature representation is achieved through structural and temporal self-attention layers within the DySAT model. The structural self-attention layer uses an attention mechanism to aggregate neighbor information at individual time points, while the temporal self-attention layer captures evolving behavioral patterns over multiple time points. Finally, a fully connected neural network is used as a classifier, trained to be able to distinguish between normal and abnormal behaviors based on the learned representations. Results: In this paper, we design four stages to carry out the experimental evaluation: 1) We compare the performance of the DySAT_DNN model with existing classifier models. The detection performance of the DySAT_DNN model in P_macro, R_macro, and F1_macro are 0.81, 0.80, and 0.81, respectively, which are higher than those of other classifier models; 2) Ablation experiments demonstrated the significant impact of the graph construction rules, with P_macro improving from 0.65 to 0.81 and R_macro from 0.67 to 0.80 when all rules were combined, underscoring their importance in enhancing detection performance. Furthermore, the model demonstrated its efficiency and generalizability across datasets, with a computational cost of 235.96 min and P_macro of 0.89 on the CERT R5.2 validation set; 3) To address the data imbalance issue, an effective sampling strategy was developed to balance the proportion of positive and negative samples; 4) When compared to baseline models, DySAT_DNN achieved a superior AUC of 99.7%, confirming its ability to surpass existing methods. Conclusions: To tackle the two shortcomings of current insider threat detection research, namely the lack of attention to dynamic user relationships and behavioral patterns, as well as issues of data imbalance, this study proposes an insider threat detection model (DySAT_DNN). Built on a self-attention mechanism, the model dynamically aggregates information from neighboring nodes and captures changes in user behavior over time. The model proposed in this study achieves high detection accuracy, effectively identifying a bnormal user activities and enhancing the security of enterprise information systems.

导出引用

贾凡, 王文莹, 王一芃. 基于动态图的内部威胁检测模型[J]. 清华大学学报（自然科学版）. 2025, 65(8): 1541-1551 https://doi.org/10.16511/j.cnki.qhdxxb.2025.27.017

Fan JIA, Wenying WANG, Yipeng WANG. A dynamic graph-based insider threat detection model[J]. Journal of Tsinghua University(Science and Technology). 2025, 65(8): 1541-1551 https://doi.org/10.16511/j.cnki.qhdxxb.2025.27.017

中图分类号： TP393

参考文献

列表( 原文顺序 | 文献年度倒序 | 文中引用次数倒序 ) 可视化分析

1	OLADIMEJI T O , AYO C K , ADEWUMI S E . Review on insider threat detection techniques[J]. Journal of Physics: Conference Series, 2019, 1299, 012046. 本文引用 [1]

2	YUAN S H , WU X T . Deep learning for insider threat detection: Review, challenges and opportunities[J]. Computers & Security, 2021, 104, 102221. 本文引用 [1]

3	ALZAABI F R , MEHMOOD A . A review of recent advances, challenges, and opportunities in malicious insider threat detection using machine learning methods[J]. IEEE Access, 2024, 12, 30907- 30927. 本文引用 [1]

4	YUAN F F, CAO Y N, SHANG Y M, et al. Insider threat detection with deep neural network[C]// Proceedings of the 18th International Conference on Computational Science. Wuxi, China: Springer, 2018: 43-54. 本文引用 [3]

5	SHARMA B, POKHAREL P, JOSHI B. User behavior analytics for anomaly detection using LSTM autoencoder- insider threat detection[C]// Proceedings of the 11th International Conference on Advances in Information Technology. Bangkok, Thailand: ACM, 2020: 5. 本文引用 [2]

6	SINGH M, MEHTRE B M, SANGEETHA S. User behaviour based insider threat detection in critical infrastructures[C]// Proceedings of 2021 2nd International Conference on Secure Cyber Computing and Communi- cations. Jalandhar, India: IEEE, 2021: 489-494. 本文引用 [3]

7	NASIR R , AFZAL M , LATIF R , et al. Behavioral based insider threat detection using deep learning[J]. IEEE Access, 2021, 9, 143266- 143274. 本文引用 [2]

8	LE D C , ZINCIR-HEYWOOD N , HEYWOOD M I . Analyzing data granularity levels for insider threat detection using machine learning[J]. IEEE Transactions on Network and Service Management, 2020, 17 (1): 30- 44. 本文引用 [2]

9	LE D C , ZINCIR-HEYWOOD N . Anomaly detection for insider threats using unsupervised ensembles[J]. IEEE Transactions on Network and Service Management, 2021, 18 (2): 1152- 1164. 本文引用 [2]

10	ZOU S H , SUN H Z , XU G S , et al. Ensemble strategy for insider threat detection from user activity logs[J]. Computers, Materials & Continua, 2020, 65 (2): 1321- 1334. 本文引用 [2]

11	AL-MHIQANI M N , AHMED R , ABIDIN Z Z , et al. An integrated imbalanced learning and deep neural network model for insider threat detection[J]. (IJACSA) International Journal of Advanced Computer Science and Applications, 2021, 12 (1): 573- 577. 本文引用 [2]

12	MENG F Z, LU P, LI J H, et al. GRU and multi-autoencoder based insider threat detection for cyber security[C]// Proceedings of 2021 IEEE Sixth International Conference on Data Science in Cyberspace. Shenzhen, China: IEEE, 2021: 203-210. 本文引用 [3]

13	HUANG W Q, ZHU H, LI C, et al. ITDBERT: Temporal-semantic representation for insider threat detection[C]// Proceedings of 2021 IEEE Symposium on Computers and Communications. Athens, Greece: IEEE, 2021: 1-7. 本文引用 [4]

14	WANG J R , SUN Q R , ZHOU C Q . Insider threat detection based on deep clustering of Multi-Source behavioral events[J]. Applied Sciences, 2023, 13 (24): 13021. 本文引用 [2]

15	PAL P , CHATTOPADHYAY P , SWARNKAR M . Temporal feature aggregation with attention for insider threat detection from activity logs[J]. Expert Systems with Applications, 2023, 224, 119925. 本文引用 [4]

16	ZHU X J , DONG J K , QI J , et al. AUTH: An adversarial autoencoder based unsupervised insider threat detection scheme for multisource logs[J]. IEEE Transactions on Industrial Informatics, 2024, 20 (9): 10954- 10965. 本文引用 [2]

17	GAMACHCHI A, BOZTAS S. Insider threat detection through attributed graph clustering[C]// Proceedings of 2017 IEEE Trustcom/BigDataSE/ICESS. Sydney, Australia: IEEE, 2017: 112-119. 本文引用 [2]

18	PRATIBHA, WANG J S, AGGARWAL S, et al. Learning correlation graph and anomalous employee behavior for insider threat detection[C]// Proceedings of 2018 21st International Conference on Information Fusion. Cambridge, UK: IEEE, 2018: 1-7. 本文引用 [2]

19	JIANG J G, CHEN J M, GU T B, et al. Anomaly detection with graph convolutional networks for insider threat and fraud detection[C]// Proceedings of 2019 IEEE Military Communications Conference. Norfolk, USA: IEEE, 2019: 109-114. 本文引用 [3]

20	HONG W , YIN J , YOU M S , et al. A graph empowered insider threat detection framework based on daily activities[J]. ISA Transactions, 2023, 141, 84- 92. 本文引用 [5]

21	LIU F C, WEN Y, ZHANG D X, et al. Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise[C]// Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. London, UK: ACM, 2019: 1777-1794. 本文引用 [2]

FEI K X, ZHOU J, SU L, et al. A graph convolution neural network based method for insider threat detection[C]// Proceedings of 2022 IEEE International Conference on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking. Melbourne, Australia: IEEE, 2022: 66-73.

本文引用 [3]

23	SANKAR A, WU Y H, GOU L, et al. DySAT: Deep neural representation learning on dynamic graphs via self-attention networks[C]// Proceedings of the 13th International Conference on Web Search and Data Mining. Houston, USA: ACM, 2020: 519-527. 本文引用 [1]

基金

国家重点研发计划项目(2020YFB1712203)

版权

PDF(3150 KB)

Accesses

Citation

Detail

段落导航

收稿日期	出版日期
2024-09-12	2025-08-15
发布日期
2025-07-24

选择文件类型/文献管理软件名称

选择包含的内容

摘要

Abstract

关键词

Key words

引用本文

{{custom_sec.title}}

{{custom_sec.title}}

参考文献

基金

版权

访问统计

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

摘要

Abstract

关键词

Key words

引用本文

{{custom_sec.title}}

{{custom_sec.title}}

参考文献

基金

版权

访问统计