Publication date: 2023

DOI: 10.1007/s11071-023-08954-1

In the security supervision sector, it is the importance of accurate detection and analysis of insider threats. In this article, we propose a new concept of insider threat kill chain, which is capable to understand psychological and behavioral change process of malicious users. Meanwhile, a novel user-level malicious behavior analysis model is established based on non-negative matrix factorization-Gaussian mixture model (NMF-GMM). In particular, we carry out the analysis from three perspectives: typical malicious behavior characteristics, overall user behavior and temporal individual behavior change. New classification method suggests to use group users by targeting malicious users with typical malicious features. The Z-score method is applied to establish evaluation model of suspicious user behavior, and the threshold of normal behavior is also determined. Furthermore, a temporal individual behavior change model is established, malicious users are located by the Pettitt test method, and the time of the first malicious behaviors are given. Experimental results show that the proposed user grouping method and ensemble strategy is capable for detection of malicious users. © 2023, The Author(s), under exclusive licence to Springer Nature B.V.

Издатель: Springer Science and Business Media B.V.

Тип: Article