| 基于机器学习的用户实体行为分析技术在账号异常检测中的应用 |
| |
| 引用本文: | 莫凡,何帅,孙佳,范渊,刘博.基于机器学习的用户实体行为分析技术在账号异常检测中的应用[J].通信技术,2020(5):1262-1267. |
| |
| 作者姓名: | 莫凡 何帅 孙佳 范渊 刘博 |
| |
| 作者单位: | 杭州安恒信息技术股份有限公司 |
| |
| 摘 要: | 伴随企业业务的不断扩增和电子化发展,企业自身数据和负载数据都开始暴增。然而,作为企业核心资产之一的内部数据,却面临着日益严峻的安全威胁。越来越多以周期长、频率低、隐蔽强为典型特征的非明显攻击绕过传统安全检测方法,对大量数据造成损毁。当前,用户实体行为分析(User and Entity Behavior Analytics,UEBA)系统正作为一种新兴的异常用户检测体系在逐步颠覆传统防御手段,开启网络安全保卫从“被动防御”到“主动出击”的新篇章。因此,将主要介绍UEBA在企业异常用户检测中的应用情况。首先,通过用户、实体、行为三要素的关联,整合可以反映用户行为基线的各类数据;其次,定义4类特征提取维度,有效提取几十种最能反映用户异常的基础特征;再次,将3种异常检测算法通过集成学习方法用于异常用户建模;最后,通过异常打分,定位异常风险最大的一批用户。在实践中,对排名前10的异常用户进行排查,证明安恒信息的UEBA落地方式在异常用户检测中极其高效。
|
| 关 键 词: | 用户实体行为分析 机器学习 内部威胁 账号失陷 异常检测 |
Application of User Entity Behavior Analysis Technology based on Machine Learning in Account Anomaly Detection |
| |
| MO Fan,HE Shuai,SUN Jia,FAN Yuan,LIU Bo.Application of User Entity Behavior Analysis Technology based on Machine Learning in Account Anomaly Detection[J].Communications Technology,2020(5):1262-1267. |
| |
| Authors: | MO Fan HE Shuai SUN Jia FAN Yuan LIU Bo |
| |
| Affiliation: | (DBAPP Security,Hangzhou Zhejiang 310051,China) |
| |
| Abstract: | With the continuous expansion and electronic development of enterprise business,the data of enterprise itself and load data are being to surge.However,internal data,as one of the enterprise’s core assets,is facing increasingly serious security threats.More and more non-obvious attacks characterized by long period,low frequency and strong concealment have bypassed traditional security detection methods and caused damage to large amounts of data.Currently,the UEBA(User and Entity Behavior Analytics)system is gradually emerging as a new anomalous user detection system,subverting traditional defense means,and opening a new chapter of network security from“passive defense”to“active attack”.Therefore,this paper mainly describes the application of UEBA in the detection of enterprise abnormal users.Firstly,through associating the three elements of user,entity,and behavior,various types of data that can reflect the baseline of user behavior are integrated;then,the four types of feature extraction dimensions are defined to effectively extract dozens of basic features that can best reflect user anomalies;then,the three types of anomaly detection algorithms are used to model abnormal users through integrated learning methods.Finally,by anomaly scoring,a group of users with the highest anomalies risk are located.In practice,by checking the top 10 abnormal users are checked,it is proved that the UEBA landing mode of Anheng Information is extremely efficient in abnormal user detection. |
| |
| Keywords: | UEBA machine learning internal threat compromised account anomaly detection |
| 本文献已被 维普 等数据库收录! |
|
