基于LSTM的内部用户安全行为评估方法

内部用户安全行为评估方法由于较少考虑用户操作行为的前后关联性，导致用户操作行为评估的准确率受到影响。针对该情况，结合长短期记忆网络（LSTM）适合处理时间序列问题的特性，提出了一种基于LSTM的内部用户安全行为评估方法。该方法首先对数据作向量化处理；然后按照N vs 1方案进行数据划分，利用LSTM算法对已知用户操作行为习惯进行统一建模；最后使用双峰阈值（bimodal threshold）机制来确定判决阈值，并对用户操作行为进行评估。实验结果表明，该方法的数据划分方案提升了其检测未知用户操作异常的能力，而且通过引入双峰阈值机制，提高了其检测未知用户异常操作的查准率与查全率。

Internal User Security Behavior Evaluation Method Based on LSTM

The internal user security behavior assessment method affects the accuracy of the user's operational behavior assessment due to less considers the contextual relevance of the user's operational behaviors. In view of this situation, and considering the characteristics of long-short term memory (LSTM) is suitable for dealing with time series problems, an internal user security behavior evaluation method based on LSTM is proposed. In this method, the data are vectorized firstly and then divided according to the N vs. 1 scheme. The LSTM algorithm is used to uniformly model the known user's behavior habits. Finally, the decision threshold is determined by the bimodal threshold mechanism and user behaviors are evaluated. Experimental results show that the data partitioning scheme of this method improves the ability to detect abnormal operation of unknown users, and by introducing a bimodal threshold mechanism, the accuracy and recall of the algorithm for detecting abnormal operations of unknown users are improved.