基于航站楼门禁日志挖掘的物理入侵检测技术

针对国内大型航站楼门禁系统的安全性需求,以及门禁日志数据的特殊性,传统的数据挖掘方法难以取得良好的效果,为解决这一问题,提出一种改进的适用于门禁日志数据的Prefix Span算法。实验结果表明,此算法可以很好的建立正常行为模式,然后运用基于先序遍历树的子序列精确匹配定位算法检测异常行为模式,实现了异常入侵检测,显著改善航站楼的安全防范能力及机场的工作效率。     

基于LSTM-Attention的内部威胁检测模型

信息被内部人员非法泄露、复制、篡改,会给政府、企业造成巨大的经济损失。为了防止信息被内部人员非法窃取,文章提出一种基于LSTM-Attention的内部威胁检测模型ITDBLA。首先,提取用户的行为序列、用户行为特征、角色行为特征和心理数据描述用户的日常活动;其次,使用长短期记忆网络和注意力机制学习用户的行为模式,并计算真实行为与预测行为之间的偏差;最后,使用多层感知机根据该偏差进行综合决策,从而识别异常行为。在CERT内部威胁数据集上进行实验,实验结果表明,ITDBLA模型的AUC分数达0.964,具有较强的学习用户活动模式和检测异常行为的能力。     

技术迁移引领门禁系统的变革

技术过时的安全威胁将在门禁基础设施中产生严重隐患,使组织保护员工、设施和数据资产的能力迅速瘫痪,因此推动组织变革的因素包括了安全技术升级、IT和移动领域的发展对门禁设施的新要求。     

信息系统内部威胁检测技术研究

针对企业信息系统中日益严重的内部威胁行为,特别是冒名登录、越权操作等行为,基于用户行为分析的技术,采用主客体混合的分层安全模型,建立了一种新的信息系统内部威胁检测框架.通过比较用户异常行为及主客体权限发现恶意内部威胁行为.应用正则表达式与混合加密算法保证检测准确性和日志安全性.从身份认证、访问控制、操作审计和行为阈值技术四个方面进行安全检测,对关键技术给出了详细介绍.实验证明该检测框架防止了内部人员破坏数据并提供响应和干预能力,提高了信息系统安全性.最后,展望了内部威胁检测技术发展趋势.     

大尺度IP网络流量异常特征的多时间序列数据挖掘方法*

降低漏报率和误检率是网络流量异常检测的难点问题之一。本文提出了一种大规模通信网络流量异常特征分析的多时间序列数据挖掘方法,把多个网络流量特征参数构成的时间序列作为一个整体进行分析研究,进行多时间序列数据挖掘产生网络流量异常相关的有效关联规则,对整个通信网络的安全威胁进行准确地描述。Abilene网络数据验证了本文的方法。     

应对多种威胁的安全计算机终端

计算机是信息系统的重要组成部分,它面临来自外部和内部的信息安全威胁。目前计算机终端上的防护方式主要针对来自网络和外部的病毒、木马和攻击等安全威胁,对于内部人员的疏忽和蓄意造成的泄密基本无能为力。此外,由于防护功能建立在待保护的计算机上,其本身可靠性受现有计算机硬件与操作系统的各种缺陷和漏洞的制约。文章提出了一种具备独立防护系统的安全计算机架构,理论分析和实践表明,该架构能够有效应对外部和内部的安全威胁,保护计算机本身及内部数据信息的安全。     

基于行为模型的工控异常检测方法研究

目前,工业控制系统(Industrial Control Systems,ICS)网络安全已经成为信息安全领域的重点问题,而检测篡改行为数据及控制程序等攻击是ICS网络安全的难点问题,据此提出了基于行为模型的工控异常检测方法。该方法从工控网络流量中提取行为数据序列,根据ICS的控制和被控过程构建正常行为模型,通过比较分析实时提取的行为数据与模型预测的行为数据,判断是否出现异常。通过实验分析,验证了所提方法能有效实现对篡改行为数据及控制程序等攻击的异常检测。     

一种无监督的窃密攻击及时发现方法

近年来,窃密攻击成为了最严重的网络安全威胁之一.除了恶意软件,人也可以成为窃密攻击的实施主体,尤其是组织或企业的内部人员.由人实施的窃密很少留下明显的异常痕迹,给真实场景中攻击的及时发现和窃密操作的分析还原带来了挑战.提出了一个方法,将每个用户视为独立的主体,通过对比用户当前行为事件与其历史正常行为的偏差检测异常,以会话为单元的检测实现了攻击发现的及时性,采用无监督算法避免了对大量带标签数据的依赖,更能适用于真实场景.对算法检测为异常的会话,进一步提出事件链构建方法,一方面还原具体窃密操作,另一方面通过与窃密攻击模式对比,更精确地判断攻击.在卡内基梅隆大学的CERT内部威胁数据集上进行了实验,结果达到99%以上的准确率,且可以做到无漏报、低误报,证明了方法的有效性和优越性.     

基于攻击链和网络流量检测的威胁情报分析研究

以特征检测为主的传统安全产品越来越难以有效检测新型威胁,针对现有方法检测威胁攻击的不足,进行了一种基于攻击链结合网络异常流量检测的威胁情报分析方法研究,通过对获取的威胁信息进行分析,将提取出的情报以机器可读的格式实现共享,达到协同防御。该方法首先对网络中的异常流量进行检测,分析流量特征及其之间的关系,以熵值序列链的形式参比网络攻击链的模式;对每个异常时间点分类统计特征项,进行支持度计数,挖掘特征之间频繁项集模式,再结合攻击链各阶段的特点,还原攻击过程。仿真结果表明,该方法可以有效的检测网络中的异常流量,提取威胁情报指标。     

采用智能卡技术优化石油天然气行业的身份验证与门禁管理系统

在一个视安保为最高原则的行业中,支持多用途的智能卡可以让石油天然气公司更好地保护自己的员工和工作场所。为了应对资产与运营安全的风险,石油天然气公司不断拓展智能卡技术的应用,将逻辑和物理门禁结合在一张小小的智能卡上,作身份验证和门禁管理与保障网络安全。这不仅可以为员工带来安全和方便,还能令企业意识到集     

基于Agent的内部威胁实时检测框架

针对企业信息系统中的内部威胁行为,特别是内部用户的资源滥用行为,提出了一种基于Agent的实时检测框架,通过比较用户身份权限和异常操作行为发现恶意内部威胁行为.该框架有数据采集模块、检测模块、审计模块和响应模块构成.从身份认证、访问控制、操作审计和漏洞检测四个方面对检测系统进行功能说明,并就关键技术给出了详细介绍.应用实例证明该检测框架实现了用户实名登录、行为检测与事后审计,从根本上防止了恶意内部人员获取非法数据并提供响应和干预能力,提高了信息系统的安全性.最后,总结了内部威胁检测技术发展趋势.     

基于模糊决策树的保险企业数据异常访问检测方法

保险数据的安全已经成为影响企业效益和声誉的重大问题。为了有效检测日常交易数据中的异常访问行为,提出了一种基于模糊决策树的检测方法,该方法将能够把决策树的归纳学习能力和模糊集合所具有的表达能力相结合,可以有效地发现交易记录中的异常访问行为。通过实验分析,能够提高检测的准确性和效率。     

基于语义标签的协同信息系统内部隐私威胁检测模型

协同信息系统为知识共享和再创造需求提供了核心工作环境,但是因为涉及隐私、安全等重要领域,其安全运行成为关系到国家安全和伦理道德的重要研究议题。与来自外部的隐私窃取行为相比,源于内部的威胁行为避开了现有的身份验证机制和访问控制策略,可利用账户权限盗取敏感数据。本文提出一种内部隐私威胁检测模型,该模型在宏观层面利用用户的访问行为以及共享数据的语义标签来抓取用户的访问行为模式;在微观层面提出一种局部访问网络的离散程度值及其差异,用以评估数据集中特定访问行为的异常程度。通过访问行为的随机模拟分析,本文验证了新模型具有较好的预警性能以及非常显著的预测稳定性。     

企业日志数据的交互式可视分析方法研究

企业日志数据,即员工在企业内部使用网络服务时系统保存的记录,包括员工网页访问日志、邮件日志等。在一定程度上反映了企业内部的组织结构、员工的日常工作模式和各种异常情况等。对日志数据进行分析有助于企业高层及时把控企业的运行状况,发现企业潜在威胁,进而帮助更好地进行决策。现有的企业日志分析方法大多是在单一数据基础上使用数据挖掘和机器学习等算法来进行分析。将以数据为中心的分析算法和以人为中心的交互式可视化结合起来能够同时发挥算法和人的分析优势;可视分析方法可以更有效地将多源异构、时变、多维的日志数据分析结合起来,提供多角度分析。为此,设计并实现了面向企业日志数据的员工工作行为可视分析系统EWB-VIS。在ChinaVis2018挑战赛所提供的公开数据集上进行实验,证明了系统的可用性和相关可视化方法的有效性。     

门禁系统中的异常行为检测*

针对门禁系统中尾随、蛮力开门两种异常通过的行为,结合门禁系统的身份验证功能,采用图像处理技术对违规行为进行检测,以进一步提升门禁系统的安全性能。首先设计并使用了一种基于轨迹分析的人数统计方法,通过目标检测与跟踪算法得到目标在监控场景中的运动轨迹,根据轨迹判定目标进出门禁的情况;然后根据监控场景的特点,设计了一种基于计数线的目标计数规则,结合目标运动轨迹实现人数统计;最后结合门禁系统的身份验证功能,设定异常通过行为的检测规则,检测定义的异常行为。实验结果表明,该方法能够有效的检测通过门禁系统时发生的异常行为,尤其对于行人比较稀疏和没有明显遮挡的情况,具有很好的检测效果,该方法平均检测准确率能够达到90%。     

Human factors in information security: The insider threat – Who can you trust these days?

This paper examines some of the key issues relating to insider threats to information security and the nature of loyalty and betrayal in the context of organisational, cultural factors and changing economic and social factors. It is recognised that insiders pose security risks due to their legitimate access to facilities and information, knowledge of the organisation and the location of valuable assets. Insiders will know how to achieve the greatest impact whilst leaving little evidence. However, organisations may not have employed effective risk management regimes to deal with the speed and scale of change, for example the rise of outsourcing. Outsourcing can lead to the fragmentation of protection barriers and controls and increase the number of people treated as full time employees. Regional and cultural differences will manifest themselves in differing security threat and risk profiles. At the same time, the recession is causing significant individual (and organisational) uncertainty and may prompt an increase in abnormal behaviour in long-term employees and managers – those traditionally most trusted – including members of the security community. In this environment, how can organisations know who to trust and how to maintain this trust?The paper describes a practitioner’s view of the issue and the approaches used by BT to assess and address insider threats and risks. Proactive measures need to be taken to mitigate against insider attacks rather than reactive measures after the event. A key priority is to include a focus on insiders within security risk assessments and compliance regimes. The application of technology alone will not provide solutions. Security controls need to be workable in a variety of environments and designed, implemented and maintained with people’s behaviour in mind. Solutions need to be agile and build and maintain trust and secure relationships over time. This requires a focus on human factors, education and awareness and greater attention on the security ‘aftercare’ of employees and third parties.     

Fuzzy User Access Trust Model for Cloud Access Control

Cloud computing belongs to a set of policies, protocols, technologies through which one can access shared resources such as storage, applications, networks, and services at relatively low cost. Despite the tremendous advantages of cloud computing, one big threat which must be taken care of is data security in the cloud. There are a dozen of threats that we are being exposed to while availing cloud services. Insufficient identity and access management, insecure interfaces and Applications interfaces (APIs), hijacking, advanced persistent threats, data threats, and many more are certain security issues with the cloud platform. APIs and service providers face a huge challenge to ensure the security and integrity of both network and data. To overcome these challenges access control mechanisms are employed. Traditional access control mechanisms fail to monitor the user operations on the cloud platform and are prone to attacks like IP spoofing and other attacks that impact the integrity of the data. For ensuring data integrity on cloud platforms, access control mechanisms should go beyond authentication, identification, and authorization. Thus, in this work, a trust-based access control mechanism is proposed that analyzes the data of the user behavior, network behavior, demand behavior, and security behavior for computing trust value before granting user access. The method that computes the final trust value makes use of the fuzzy logic algorithm. The trust value-based policies are defined for the access control mechanism and based on the trust value outcome the access control is granted or denied.     

云计算中跨域安全认证的关键技术研究

摘 要: 针对云计算环境中的数据访问,不仅要确保合法用户能快速访问到数据资源,而且要保证非法用户的访问权限受限,合理解决信任域内部的威胁以解决云计算技术带来的数据安全等问题,提出了一种能有效实现数据跨域访问的CDSSM模型,通过设置代理者Agent,首先区分首次跨域安全身份认证和重复跨域安全认证,巧妙优化了数据跨域安全身份认证的流程,然后通过充分利用身份认证中消息加密的密钥,将数据分块加密存储,最后有效的解决了域内的安全威胁,保证了用户数据的安全性。最后,笔者实现了CDSSM模型,实验表明本方案中的密钥不可伪造,可有效避免重放攻击,重复跨域身份认证的效率在50%以上,100MB以下文件的读写性能较好,大大提高了数据存储在云端的可靠性和安全认证的有效性。     

Understanding insiders: An analysis of risk-taking behavior

There is considerable research being conducted on insider threats directed to developing new technologies. At the same time, existing technology is not being fully utilized because of non-technological issues that pertain to economics and the human dimension. Issues related to how insiders actually behave are critical to ensuring that the best technologies are meeting their intended purpose. In our research, we have investigated accepted models of perceptions of risk and characteristics unique to insider threat, and we have introduced ordinal scales to these models to measure insider perceptions of risk. We have also investigated decision theories, leading to a conclusion that prospect theory, developed by Tversky and Kahneman, may be used to describe the risk-taking behavior of insiders and can be accommodated in our model. Our results indicate that there is an inverse relationship between perceived risk and benefit by insiders and that their behavior cannot be explained well by the models that are based on the traditional methods of engineering risk analysis and expected utility. We discuss the results of validating that model with forty-two senior information security executives from a variety of organizations. We also discuss how the model may be used to identify characteristics of insiders’ perceptions of risk and benefit, their risk-taking behavior and how to frame insider decisions. Finally, we recommend understanding risk of detection and creating a fair working environment to reduce the likelihood of committing criminal acts by insiders.     

Bridging the divide: A qualitative comparison of information security thought patterns between information security professionals and ordinary organizational insiders

Organizational insiders have considerable influence on the effectiveness of information security efforts. However, most research conducted in this area fails to examine what these individuals believe about organizational security efforts. To help bridge this gap, this study assesses the mindset of insiders regarding their relationship with information security efforts and compares it against the mindset of information security professionals. Interviews were conducted with 22 ordinary insiders and 11 information security professionals, an effort that provides insight into how insiders gauge the efficacy of recommended responses to information security threats. Several key differences between insiders’ and professionals’ security mindsets are also discussed.