计算机应用 ›› 2018, Vol. 38 ›› Issue (2): 357-362.DOI: 10.11772/j.issn.1001-9081.2017081951

• 网络空间安全 • 上一篇    下一篇

基于图分析和支持向量机的企业网异常用户检测

徐兵1,2, 郭渊博1,2, 叶子维1,2, 胡永进1,2   

  1. 1. 信息工程大学, 郑州 450001;
    2. 数学工程与先进计算国家重点实验室, 郑州 450001
  • 收稿日期:2017-08-09 修回日期:2017-09-30 出版日期:2018-02-10 发布日期:2018-02-10
  • 通讯作者: 徐兵
  • 作者简介:徐兵(1993-),男,河南驻马店人,硕士研究生,主要研究方向:机器学习、信息安全;郭渊博(1975-),男,陕西周至人,教授,博士生导师,博士,主要研究方向:信息安全、态势感知;叶子维(1990-),男,吉林通化人,博士研究生,主要研究方向:信息安全、漏洞挖掘;胡永进(1981-),男,山东潍坊人,博士研究生,主要研究方向:机器学习、信息安全。
  • 基金资助:
    国家自然科学基金资助项目(61602515)。

Abnormal user detection in enterprise network based on graph analysis and support vector machine

XU Bing1,2, GUO Yuanbo1,2, YE Ziwei1,2, HU Yongjin1,2   

  1. 1. Information Engineering University, Zhengzhou Henan 450001, China;
    2. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Henan 450001, China
  • Received:2017-08-09 Revised:2017-09-30 Online:2018-02-10 Published:2018-02-10
  • Supported by:
    This work is partially supported by National Natural Science Foundation of China (61602515).

摘要: 在企业网络中,若其内部的攻击者获得了用户的身份认证信息,其行为与正常用户将很难区分;而目前研究对于企业网中的异常用户检测方法比较单一,召回率不高。用户的认证活动信息直接反映了用户在网络中与各类资源或人员的交互,基于此,提出一种利用用户认证活动信息来检测网络中异常用户的方法。该方法利用用户的认证活动生成用户认证图,之后基于图分析方法提取认证图中的属性,如图的最大连通组件的大小、孤立认证的数量等,这些属性反映了用户在企业网中的认证行为特征。最后利用有监督的支持向量机(SVM)对提取到的图属性进行建模,以此来间接识别和检测网络中的异常用户。在提取了用户图向量之后,具体对训练集和测试集、惩罚参数、核函数取不同值的情况进行了分析。通过对这些参数的调节,召回率、精确率和F1-Score均达到80%以上。实验数据表明,该方法能够有效检测企业网络中的异常用户。

关键词: 用户认证, 异常检测, 图分析, 支持向量机, 认证图

Abstract: In the enterprise network, if the internal attacker obtains the user's identity authentication information, his behavior will be very difficult to distinguish with the normal user. The current research on the abnormal user detection method in enterprise network is relatively simple and the detection rate is low. The user's authentication activity information directly reflects the user's interaction with various resources or personnel in the network. Based on this, a new abnormal user detection method by using user authentication activity information was proposed. The user's authentication activity was used to generate the user authentication graph, and then the attributes in the authentication graph were extracted based on the graph analysis method, such as the size of the largest connected components of the graph and the number of isolated certificates. These attributes reflect the user's authentication behavioral characteristics in the enterprise network. Finally, a supervised Support Vector Machine (SVM) was used to model the extracted graph attributes to indirectly identify and detect abnormal users in the network. After extracting the user graph vector, the training set and the test set, the penalty parameter and the kernel function were analyzed by taking different values. Through the adjustment of these parameters, the recall, accuracy and F1-Score of the propsed method have reached more than 80%. The experimental results show that the proposed method can effectively detect abnormal users in the enterprise network.

Key words: user authentication, anomaly detection, graph analysis, Support Vector Machine (SVM), authentication graph

中图分类号: