In the era of digital economy, new technologies emerge in an endless stream, and the network environment becomes increasingly complex. Traditional security products, technologies and solutions cannot meet the needs. In order to deal with the increasingly severe network security challenges, User and Entity Behavior Analytics (UEBA) technology provides a new solution. The application of new technologies such as statistical analysis, machine learning and deep learning also increases the adaptability and effectiveness of UEBA technology. User and entity behavior analysis technology based on machine learning has also become one of the research hotspots in current academia. In this paper, An User and Entity Behavior Analytics Method based on Adaptive Mixed-Attribute-Data Density Peaks Clustering is proposed. Firstly, the relevant access behavior data records of user entities are extracted from the access logs of the servers that need to be monitored. Since these records contain mixed attributes, adaptive mixed-attribute-data density peak clustering (AMDPC) can be used for clustering. Then, by constructing the user behavior baseline in each cluster, suspicious users and behaviors are analyzed. Combined with log backtracking and expert manual verification, the threat behavior is finally determined. This method has been applied in a company's network security situation awareness platform, and has achieved good practical results.
| Published in | International Journal of Data Science and Analysis (Volume 8, Issue 5) |
| DOI | 10.11648/j.ijdsa.20220805.17 |
| Page(s) | 163-168 |
| Creative Commons |
This is an Open Access article, distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution and reproduction in any medium or format, provided the original work is properly cited. |
| Copyright |
Copyright © The Author(s), 2024. Published by Science Publishing Group |
User and Entity Behavior Analytics, UEBA, Density Peaks Clustering, AMDPC, Cybersecurity
| [1] | Security Research Institute of China Academy of Information and Communications Technology, Hangzhou Anheng Information Technology Co., LTD., "User Entity Behavior Analytics Technology (UEBA) (2020).", 2020. |
| [2] | SINGH K, SINGH P, KUMAR K. User Behavior Analytics-Based Classification of Application Layer HTTP-GET Flood Attacks [J]. Journal of Network and Computer Applications, 2018, 112 (15): 97-114. |
| [3] | SHASHANKA M, SHEN M-Y, WANG J. User and entity behavior analytics for enterprise security [C] // IEEE International Conference on Big Data. Washington, DC, USA: IEEE, 2016: 1867-1874. |
| [4] | GUPTA R, TANWAR S, TYAGI S, et al. Machine Learning Models for Secure Data Analytics: A taxonomy and threat model [J]. Computer Communications, 2020, 153: 406-440. |
| [5] | WEN Yu, WANG W, MENG D. Mining User Cross-Domain Behavior Patterns for Insider Threat Detection [J]. Chinese Journal of Computers, 2016, 39 (8): 1555-1569. |
| [6] | LI Z, SONG L. Research on internal threat detection based on user window behavior [J]. Computer Engineering, 2020, 46 (4): 135-142, 150. |
| [7] | YANG A, ZHUANSUN Y, LIU C, et al. Design of Intrusion Detection System for Internet of Things Based on Improved BP Neural Network [J]. IEEE Access, 2019, 7: 106043-106052. |
| [8] | AHMIM A, DERDOUR M, FERRAG M A. An intrusion detection system based on combining probability predictions of a tree of classifiers [J]. International Journal of Communication Systems, 2018, 31 (9): 1-17. |
| [9] | BELOUCH M, EL S, IDHAMMAD M. A Two-Stage Classifier Approach using RepTree Algorithm for Network Intrusion Detection [J]. International Journal of Advanced Computer Science and Applications, 2017, 8 (6): 389-394. |
| [10] | SHAILENDRA SINGH, ABDULSALAM YASSINE. Big Data Mining of Energy Time Series for Behavioral Analytics and Energy Consumption Forecasting [J]. Energies, 2018, 11 (2): 1-26. |
| [11] | Gartner, ‘Market Guide for User and Entity Behavior Analytics’, Gartner, 2019. https://www.gartner.com/en/documents/3917096. |
| [12] | MIAH S J, VU H Q, GAMMACK J, et al. A Big Data Analytics Method for Tourist Behaviour Analysis [J]. Information & Management, 2017, 54 (6): 771-785. |
| [13] | WANG K, ZHENG H, LOURI A. TSA-NoC: Learning-Based Threat Detection and Mitigation for Secure Network-on-Chip Architecture [J]. IEEE Micro, 2020, 40 (5): 56-63. |
| [14] | XU S, QIAN Y, HU R Q. Edge Intelligence Assisted Gateway Defense in Cyber Security [J]. IEEE Network, 2020, 34 (4): 14-19. |
| [15] | Mo Fan, He Shuai, Sun Jia, Fan Yuan, and Liu Bo, "Application of user entity behavior analysis technology based on Machine learning in account anomaly detection," Communications Technology, Vol. 53, No. 5, pp. 1262 -- 1267, 2020. |
| [16] | Xu Fei, "Status and Development Analysis of network security Situation Awareness Technology Based on UEBA," Network Security Technology and Application, No. 10, pp. 10 -- 13, 2020. |
| [17] | Shaoyong Hu, "Data Leakage Analysis Based on UEBA," Information Security and Communication Confidentiality, No. 8, PP. 26-28. 2018. |
| [18] | Liu Jin, Li Jiangbo, and Ye Bing, "Research on the Internal Control Risk Management of UEBA Data Security," Cyberspace Security, Vol. 12, No. Z3, pp. 43-48 +55, 2021. |
| [19] | Cui Jing-yang, Chen Zhen-guo, Tian Li-qin, and Zhang Guang-hua, "A survey of user and entity behavior analysis techniques based on Machine learning," Computer Engineering, pp. 1-20, 2021, doi: 10.19678/j.issn.1000-3428.0062623. |
| [20] | A. Rodriguez and A. Laio, “Clustering by fast search and find of density peaks,” Science, vol. 344, no. 6191, pp. 1492-1496, June 2014, doi: 10.1126/science.1242072. |
| [21] | S. Liu, ‘Adaptive Mixed-Attribute Data Clustering Method Based on Density Peaks’, Complexity, p. 13, 2022. |
| [22] | M. Du, S. Ding and H. Jia, “Study on density peaks clustering based on k-nearest neighbors and principal component analysis”, Knowledge-Based Systems, vol. 99, pp. 135-145, May 2016, doi: 10.1016/j.knosys.2016.02.001. |
APA Style
Shihua Liu. (2022). User and Entity Behavior Analytics Method Based on Adaptive Mixed-Attribute-Data Density Peaks Clustering. International Journal of Data Science and Analysis, 8(5), 163-168. https://doi.org/10.11648/j.ijdsa.20220805.17
ACS Style
Shihua Liu. User and Entity Behavior Analytics Method Based on Adaptive Mixed-Attribute-Data Density Peaks Clustering. Int. J. Data Sci. Anal. 2022, 8(5), 163-168. doi: 10.11648/j.ijdsa.20220805.17
Share This Article
Twitter
Linked In
Facebook
Copy
Download@article{10.11648/j.ijdsa.20220805.17,
author = {Shihua Liu},
title = {User and Entity Behavior Analytics Method Based on Adaptive Mixed-Attribute-Data Density Peaks Clustering},
journal = {International Journal of Data Science and Analysis},
volume = {8},
number = {5},
pages = {163-168},
doi = {10.11648/j.ijdsa.20220805.17},
url = {https://doi.org/10.11648/j.ijdsa.20220805.17},
eprint = {https://article.sciencepublishinggroup.com/pdf/10.11648.j.ijdsa.20220805.17},
abstract = {In the era of digital economy, new technologies emerge in an endless stream, and the network environment becomes increasingly complex. Traditional security products, technologies and solutions cannot meet the needs. In order to deal with the increasingly severe network security challenges, User and Entity Behavior Analytics (UEBA) technology provides a new solution. The application of new technologies such as statistical analysis, machine learning and deep learning also increases the adaptability and effectiveness of UEBA technology. User and entity behavior analysis technology based on machine learning has also become one of the research hotspots in current academia. In this paper, An User and Entity Behavior Analytics Method based on Adaptive Mixed-Attribute-Data Density Peaks Clustering is proposed. Firstly, the relevant access behavior data records of user entities are extracted from the access logs of the servers that need to be monitored. Since these records contain mixed attributes, adaptive mixed-attribute-data density peak clustering (AMDPC) can be used for clustering. Then, by constructing the user behavior baseline in each cluster, suspicious users and behaviors are analyzed. Combined with log backtracking and expert manual verification, the threat behavior is finally determined. This method has been applied in a company's network security situation awareness platform, and has achieved good practical results.},
year = {2022}
}
TY - JOUR T1 - User and Entity Behavior Analytics Method Based on Adaptive Mixed-Attribute-Data Density Peaks Clustering AU - Shihua Liu Y1 - 2022/10/29 PY - 2022 N1 - https://doi.org/10.11648/j.ijdsa.20220805.17 DO - 10.11648/j.ijdsa.20220805.17 T2 - International Journal of Data Science and Analysis JF - International Journal of Data Science and Analysis JO - International Journal of Data Science and Analysis SP - 163 EP - 168 PB - Science Publishing Group SN - 2575-1891 UR - https://doi.org/10.11648/j.ijdsa.20220805.17 AB - In the era of digital economy, new technologies emerge in an endless stream, and the network environment becomes increasingly complex. Traditional security products, technologies and solutions cannot meet the needs. In order to deal with the increasingly severe network security challenges, User and Entity Behavior Analytics (UEBA) technology provides a new solution. The application of new technologies such as statistical analysis, machine learning and deep learning also increases the adaptability and effectiveness of UEBA technology. User and entity behavior analysis technology based on machine learning has also become one of the research hotspots in current academia. In this paper, An User and Entity Behavior Analytics Method based on Adaptive Mixed-Attribute-Data Density Peaks Clustering is proposed. Firstly, the relevant access behavior data records of user entities are extracted from the access logs of the servers that need to be monitored. Since these records contain mixed attributes, adaptive mixed-attribute-data density peak clustering (AMDPC) can be used for clustering. Then, by constructing the user behavior baseline in each cluster, suspicious users and behaviors are analyzed. Combined with log backtracking and expert manual verification, the threat behavior is finally determined. This method has been applied in a company's network security situation awareness platform, and has achieved good practical results. VL - 8 IS - 5 ER -
Information
Email: