Ripple2Detect: A semantic similarity learning based framework for insider threat multi-step evidence detection

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-06 DOI:10.1016/j.cose.2025.104387

Hongle Liu, Ming Liu, Lansheng Han, Haili Sun, Cai Fu

{"title":"Ripple2Detect: A semantic similarity learning based framework for insider threat multi-step evidence detection","authors":"Hongle Liu, Ming Liu, Lansheng Han, Haili Sun, Cai Fu","doi":"10.1016/j.cose.2025.104387","DOIUrl":null,"url":null,"abstract":"<div><div>Insider threat attacks occur when individuals misuse their access to an organization’s systems, data, or networks. These attacks, including Advanced Persistent Threats (APT), Pivoting, and Lateral Movement, often involve prolonged timelines and similar sensitive actions. Given the complexity of these attacks, current internal threat detection methods have their shortcomings.</div><div>Firstly, internal threat attacks typically involve multiple sequences of malicious operations, making it challenging to capture the entire attack process using a single model. Secondly, current research often overlooks the interconnections between user behavior sequences, failing to differentiate between malicious intentions, actions, and outcomes. This neglect may lead to forensic inaccuracies and the misattribution of benign activities as attacks, potentially causing erroneous responses. Furthermore, existing internal threat detection methods fail to mine relevant attack evidence from known sensitive behaviors to thoroughly analyze the attack mechanisms.</div><div>To address these challenges, we propose Ripple2Detect, a multi-step evidence detection framework for insider threat detection. First, Ripple2Detect builds an evidence sequence library by decomposing known attack behaviors into sequences and constructing a knowledge graph to measure their correlations. Next, we train a semantic similarity model based on the BERT architecture, tailored for operation sequences, to improve the detection of attack evidence. To overcome data imbalance, we introduce a contrastive learning loss to better distinguish between attack and non-attack behaviors. Finally, a preference propagation mechanism is used to predict attack behaviors within the knowledge graph.</div><div>We conduct experiments on Cert-r4.2 and Cert-r5.2 benchmark datasets, comparing our model with state-of-the-art approaches. The results suggest that our model can identify malicious sequences with 0.96 F1 score and achieve an attack identification F1 score of up to 0.99. The source code can be obtained from <span><span>https://github.com/L3LeTrigger-F/Ripple2Detect_code</span><svg><path></path></svg></span></div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104387"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000768","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Insider threat attacks occur when individuals misuse their access to an organization’s systems, data, or networks. These attacks, including Advanced Persistent Threats (APT), Pivoting, and Lateral Movement, often involve prolonged timelines and similar sensitive actions. Given the complexity of these attacks, current internal threat detection methods have their shortcomings.

Firstly, internal threat attacks typically involve multiple sequences of malicious operations, making it challenging to capture the entire attack process using a single model. Secondly, current research often overlooks the interconnections between user behavior sequences, failing to differentiate between malicious intentions, actions, and outcomes. This neglect may lead to forensic inaccuracies and the misattribution of benign activities as attacks, potentially causing erroneous responses. Furthermore, existing internal threat detection methods fail to mine relevant attack evidence from known sensitive behaviors to thoroughly analyze the attack mechanisms.

To address these challenges, we propose Ripple2Detect, a multi-step evidence detection framework for insider threat detection. First, Ripple2Detect builds an evidence sequence library by decomposing known attack behaviors into sequences and constructing a knowledge graph to measure their correlations. Next, we train a semantic similarity model based on the BERT architecture, tailored for operation sequences, to improve the detection of attack evidence. To overcome data imbalance, we introduce a contrastive learning loss to better distinguish between attack and non-attack behaviors. Finally, a preference propagation mechanism is used to predict attack behaviors within the knowledge graph.

We conduct experiments on Cert-r4.2 and Cert-r5.2 benchmark datasets, comparing our model with state-of-the-art approaches. The results suggest that our model can identify malicious sequences with 0.96 F1 score and achieve an attack identification F1 score of up to 0.99. The source code can be obtained from https://github.com/L3LeTrigger-F/Ripple2Detect_code

查看原文本刊更多论文

当个人滥用对组织系统、数据或网络的访问权限时，就会发生内部威胁攻击。这些攻击，包括高级持续性威胁（APT）、Pivoting 和 Lateral Movement，通常涉及较长的时间线和类似的敏感行动。鉴于这些攻击的复杂性，目前的内部威胁检测方法有其不足之处。首先，内部威胁攻击通常涉及多个恶意操作序列，因此使用单一模型捕捉整个攻击过程具有挑战性。其次，当前的研究往往忽略了用户行为序列之间的相互联系，未能区分恶意意图、行为和结果。这种忽视可能会导致取证不准确，并将良性活动误认为攻击，从而可能导致错误的响应。此外，现有的内部威胁检测方法无法从已知的敏感行为中挖掘相关的攻击证据，从而彻底分析攻击机制。为了应对这些挑战，我们提出了 Ripple2Detect，这是一种用于内部威胁检测的多步骤证据检测框架。首先，Ripple2Detect 通过将已知攻击行为分解为序列并构建知识图谱来测量其相关性，从而建立证据序列库。接下来，我们在 BERT 架构的基础上，针对操作序列训练语义相似性模型，以提高攻击证据的检测能力。为了克服数据不平衡问题，我们引入了对比学习损失，以更好地区分攻击行为和非攻击行为。最后，我们使用偏好传播机制来预测知识图谱中的攻击行为。我们在 Cert-r4.2 和 Cert-r5.2 基准数据集上进行了实验，将我们的模型与最先进的方法进行了比较。结果表明，我们的模型能以 0.96 的 F1 分数识别恶意序列，攻击识别 F1 分数高达 0.99。源代码可从 https://github.com/L3LeTrigger-F/Ripple2Detect_code 获取。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.