面向邮件网络事件检测的用户行为模式挖掘  被引量：9

作　　者：李全刚[1] 时金桥[2,3] 秦志光[1] 柳厅文[2,3] 

机构地区：[1]电子科技大学计算机科学与工程学院,成都610054 [2]中国科学院信息工程研究所,北京100093 [3]信息内容安全技术国家工程实验室,北京100093

出　　处：《计算机学报》2014年第5期1135-1146,共12页Chinese Journal of Computers

基　　金：国家"八六三"高技术研究发展计划项目基金(2012AA013101;2011AA010706);国家自然科学基金(61133016);国家科技支撑计划(2012BAH37B04);中国科学院战略性先导科技专项课题(XDA06030200)资助~~

摘　　要：挖掘邮件网络通信中的用户行为模式并分析其演变过程对于检测数据泄漏、内部威胁等工作都有着重要指导意义.已有的邮件网络用户行为模式挖掘方法可大致分为两大类:基于邮件内容和基于网络结构.基于邮件内容的挖掘方法存在侵犯用户隐私或者因加密导致无法获得邮件内容等诸多局限性;基于网络结构的挖掘方法常把邮件网络视为是一个完整的网络,而忽略了组织外部邮箱间通信信息存在的缺失,使得提取某些特征时出现偏差,从而会影响到结论的准确性.文中将邮件网络分为两部分:域内通信网络和有连接缺失的域外通信网络,分析了域内通信和域外通信信息完整性的差异,分别提取了其各自的结构特征和职能特征.通过引入模元的概念,将常见的二元对应关系(特征-模式)转化为三元对应关系(特征-模元-模式),并从模元的角度来对用户模式进行统一描述.文中的工作有助于对用户行为模式的理解与对比,同时又具有降维的作用.在Enron邮件数据集上的实验结果表明文中方法将用户行为模式更加简洁地表示出来,并且能够通过分析用户行为模式的变化来直观地定位事件的发生.For an email network,mining the user behavior patterns and analyzing its evolutionplay an important role in detecting data breaches and insider threats.User behavior patternsmining methods can be divided into two general categories：content-based and structurebased.Content-based mining methods have many limitations.For example,it may violate user’s privacyor can not obtain the content due to encryption.While the structure-based methods usually treatthe email network as an integrated social network and ignore the missing communications betweentwo users outside an organization,which would cause large deviation to some features and affectthe accuracy of conclusion.In this paper,we divided an email network into two parts：intra-communication network and extra-communication network with missing communications.Thenwe analyzed the differences of information integrity between them and extracted their structuralfeatures and functional features respectively.Based on our basic behavior pattern unit,we transformed the traditional binary-relation （features-behavior pattern）into ternary-relation（features-pattern unit-behavior pattern）,and described user patterns from the perspective of basicbehavior pattern unit.Our work can enhance the interpretation and comparability of behaviorpatterns,and reduce the complexity of analysis.Experimental results on Enron dataset showedthat our work can describe user behavior patterns more conveniently,and intuitively detected thereal events from the evolution of user behavior patterns.

关 键 词：行为模式挖掘 事件检测 非负矩阵分解 邮件网络 日志分析 数据挖掘 信息安全 网络安全 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]