abnormal behavior analysis model design

Posted by deaguero at 2020-03-30

Reading: 3639

Abnormal access refers to the access situation in which the network behavior deviates from the normal range. Exception access includes many scenarios, such as web access, database access, operating system access, terminal interaction, etc.

In this paper, the status quo and problems of abnormal access are briefly described. On this basis, the least square method abnormal access analysis model based on univariate linear regression is proposed to solve the problem of correlation between time and access in abnormal access.

Abnormal access has always been a problem in network information security. The trouble mainly lies in the following aspects: a certain model satisfies all scenarios, the lack of clear use conditions of the model results in unclear results, large calculation amount and long calculation time.

Based on the above situation, this paper only analyzes the abnormal access of system login, and selects the abnormal access time period by regression statistics of system login events and time.

The following figure is the sequence diagram of abnormal login event detection:

Abnormal login sequence diagram

The activity diagram flow of the abnormal login event model is as follows:

1) The user logs in and enters the corresponding user name and password. 2) The system performs login verification to determine whether it is a legal user. 3) Success or failure of login will record this login behavior. 4) Logs are automatically sent to the analysis system. 5) The analysis system analyzes the received logs by using the least square method. 6) If an abnormal login event is found, an alarm event will be triggered. 7) Finally, the staff can receive the alarm prompt and view the corresponding alarm.

When the alarm is triggered, the staff need to carry out further division work in the quantitative analysis. Through the log in event, you can find who and when to log in to which system. After recording these information in detail, subsequent time disposal can be carried out.

Abnormal login model is an important analysis model of analysis system. In this analysis model, the least square method is used to judge the login event abnormally. Exception judgment includes two types: successful login exception judgment and unsuccessful login exception judgment.

Take the following successful login events as an example to explain in detail:

Login statistics list

The above table describes the event statistics of successful system login in 5 minutes. At this time, we can't see which time unit has abnormal login. As shown in the figure below:

Scatter chart of landing times

First, the least square method is used to solve it.

least square method

The superposition of straight line and scatter diagram is solved as follows:

Least square fitting of login times

regression model

The residual of each point is calculated one by one as follows:

Residual results of landing times

It can be seen from the above table that the residual values of the three points with serial numbers of 5, 9 and 10 deviate relatively large. At the same time, according to experience, the normal residual value of login event is usually between - 10 and + 10. The residual values of these three points deviate from the range obviously. The residual values were 15.23967, - 16.4549 and 15.098, respectively.

For this login event, we use a confidence interval of - 10 to + 10, which can be adjusted according to different scenarios.

By using the least square method to query the abnormal login events, it can solve the problems that are difficult to find in the traditional statistical tables. The traditional way is to use topn to list the successful and failed login events. But in many login events, which are worthy of the attention of the staff is difficult to be reflected.

The least square method can be used to separate the most obvious abnormal behavior from many login events. Through the preliminary screening of the system, it can provide the staff with quantitative analysis ability. The staff can analyze the corresponding events through the quantitative analysis module. At the same time, the residual value can be defined to provide convenience for flexible response to analysis needs.

If you need to know more, you can join QQ group: 486207500 direct inquiry: 010-68438880-8669