Behavior Rhythm: A New Model for Behavior Visualization and Its Application in System Security Management

The widespread use of social media, cloud computing, and Internet of Things generates massive behavior data recorded by system logs, and how to utilize these data to improve the stability and security of these systems becomes more and more difficult due to the increasing number of users and amount of data. In this paper, we propose a novel model named behavior rhythm (BR) to characterize and visualize the user’s behaviors from the massive logs and apply it to the system security management. Based on the BR model, we conduct the clustering analysis to mine the user clusters. Different management and access control policies can be applied to different clusters to improve the management efficiency. Then, we apply the non-negative matrix factorization method to analyze the BRs and perform abnormal detection, and employ the BR similarity calculation to perform fast potential anomaly tracking. The detection and tracing results can help the administrators to control the threats efficiently. Experimental results based on the datasets collected from the campus network center of Xi’an Jiaotong University verify the accuracy and efficiency of our method in user behavior profiling and security management, which lay a solid foundation for improving system stability and quality of service.

[1]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[2]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  Tao Qin,et al.  An Integrated Method for Anomaly Detection From Massive System Logs , 2018, IEEE Access.

[4]  Qiming Chen,et al.  PrefixSpan,: mining sequential patterns efficiently by prefix-projected pattern growth , 2001, Proceedings 17th International Conference on Data Engineering.

[5]  Kuai Xu,et al.  Behavior Analysis of Internet Traffic via Bipartite Graphs and One-Mode Projections , 2014, IEEE/ACM Trans. Netw..

[6]  Akio Watanabe,et al.  Spatio-temporal factorization of log data for understanding network events , 2014, IEEE INFOCOM 2014 - IEEE Conference on Computer Communications.

[7]  Risto Vaarandi,et al.  Using Security Logs for Collecting and Reporting Technical Security Metrics , 2014, 2014 IEEE Military Communications Conference.

[8]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[9]  H. Sebastian Seung,et al.  Algorithms for Non-negative Matrix Factorization , 2000, NIPS.

[10]  Tao Qin,et al.  Potential threats mining methods based on correlation analysis of multi-type logs , 2017, IET Networks.

[11]  Elisa Bertino,et al.  Building robust temporal user profiles for anomaly detection in file system accesses , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[12]  Kuai Xu,et al.  Internet Traffic Behavior Profiling for Network Security Monitoring , 2008, IEEE/ACM Transactions on Networking.

[13]  Ling Huang,et al.  Mining Console Logs for Large-Scale System Problem Detection , 2008, SysML.

[14]  Qiang Fu,et al.  Mining Invariants from Console Logs for System Problem Detection , 2010, USENIX Annual Technical Conference.

[15]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[16]  Pin Lv,et al.  Mining Host Behavior Patterns From Massive Network and Security Logs , 2017, ICCS.

[17]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[18]  Tao Qin,et al.  MUCM: Multilevel User Cluster Mining Based on Behavior Profiles for Network Monitoring , 2015, IEEE Systems Journal.

[19]  Michael I. Jordan,et al.  Detecting large-scale system problems by mining console logs , 2009, SOSP '09.

[20]  Arun K. Pujari,et al.  Adaptive Naive Bayes method for masquerade detection , 2011, Secur. Commun. Networks.

[21]  Qiang Fu,et al.  Execution Anomaly Detection in Distributed Systems through Unstructured Log Analysis , 2009, 2009 Ninth IEEE International Conference on Data Mining.

[22]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[23]  Xiangliang Zhang,et al.  Fast intrusion detection based on a non-negative matrix factorization model , 2009, J. Netw. Comput. Appl..