ATHITD：基于注意力的时间异构图神经网络内部威胁检测

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-19 DOI:10.1016/j.cose.2025.104587

Yinhao Qi, Chuyi Yan, Zehui Wang, Chen Zhang, Song Liu, Zhigang Lu, Bo Jiang

{"title":"ATHITD：基于注意力的时间异构图神经网络内部威胁检测","authors":"Yinhao Qi, Chuyi Yan, Zehui Wang, Chen Zhang, Song Liu, Zhigang Lu, Bo Jiang","doi":"10.1016/j.cose.2025.104587","DOIUrl":null,"url":null,"abstract":"<div><div>Insider threats can lead to data leakage and system crashes within an organization, seriously compromising the security of information systems. Most existing detection methods focus on analyzing user behavior sequences or constructing user relationship networks based on behavior feature similarities between users to uncover malicious insiders. However, these methods ignore the association between users and entities (e.g., files, processes, PCs, websites, and removable devices) and the evolution of user behavior patterns over time. This paper proposes an attention-based temporal heterogeneous graph neural network for insider threat detection (<strong>ATHITD</strong>) to address these issues. Firstly, ATHITD constructs sequences of temporal heterogeneous graphs from various logs based on the specified time window to depict the evolving and complex relationships between users and entities. Secondly, it introduces temporal neighbors for target nodes within each time window to describe short-term temporal dependencies. Temporal neighbors are nodes identical to the target nodes and appeared in the previous time windows. It then employs the attention mechanism to learn the spatial heterogeneity of target nodes and the short-term feature evolution from temporal neighbors to target nodes. Additionally, it uses the self-attention mechanism in Transformer to learn the long-term feature evolution of user nodes across various time windows. Furthermore, ATHITD can focus on the time windows in which malicious activities occur, helping security personnel analyze potential malicious activities in the highlighted time windows. Extensive experiments on the public datasets CERT and LANL demonstrate that the long and short-term spatio-temporal node embeddings learned by ATHITD can be effectively used to identify malicious insiders. ATHITD achieves F1 scores of 0.96 and 0.97 on the CERT and LANL datasets, respectively, outperforming existing state-of-the-art methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104587"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"ATHITD: Attention-based temporal heterogeneous graph neural network for insider threat detection\",\"authors\":\"Yinhao Qi, Chuyi Yan, Zehui Wang, Chen Zhang, Song Liu, Zhigang Lu, Bo Jiang\",\"doi\":\"10.1016/j.cose.2025.104587\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Insider threats can lead to data leakage and system crashes within an organization, seriously compromising the security of information systems. Most existing detection methods focus on analyzing user behavior sequences or constructing user relationship networks based on behavior feature similarities between users to uncover malicious insiders. However, these methods ignore the association between users and entities (e.g., files, processes, PCs, websites, and removable devices) and the evolution of user behavior patterns over time. This paper proposes an attention-based temporal heterogeneous graph neural network for insider threat detection (<strong>ATHITD</strong>) to address these issues. Firstly, ATHITD constructs sequences of temporal heterogeneous graphs from various logs based on the specified time window to depict the evolving and complex relationships between users and entities. Secondly, it introduces temporal neighbors for target nodes within each time window to describe short-term temporal dependencies. Temporal neighbors are nodes identical to the target nodes and appeared in the previous time windows. It then employs the attention mechanism to learn the spatial heterogeneity of target nodes and the short-term feature evolution from temporal neighbors to target nodes. Additionally, it uses the self-attention mechanism in Transformer to learn the long-term feature evolution of user nodes across various time windows. Furthermore, ATHITD can focus on the time windows in which malicious activities occur, helping security personnel analyze potential malicious activities in the highlighted time windows. Extensive experiments on the public datasets CERT and LANL demonstrate that the long and short-term spatio-temporal node embeddings learned by ATHITD can be effectively used to identify malicious insiders. ATHITD achieves F1 scores of 0.96 and 0.97 on the CERT and LANL datasets, respectively, outperforming existing state-of-the-art methods.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"157 \",\"pages\":\"Article 104587\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-07-19\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825002767\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002767","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

内部威胁可能导致组织内部的数据泄漏和系统崩溃，严重损害信息系统的安全性。现有的检测方法大多侧重于分析用户行为序列或基于用户之间的行为特征相似性构建用户关系网络来发现恶意内部人。然而，这些方法忽略了用户和实体（例如，文件、进程、pc、网站和可移动设备）之间的关联以及用户行为模式随时间的演变。为了解决这些问题，本文提出了一种基于注意力的内部威胁检测时间异构图神经网络（ATHITD）。首先，ATHITD基于指定的时间窗口，从各种日志中构建时序异构图序列，以描述用户与实体之间不断演变的复杂关系。其次，在每个时间窗口内为目标节点引入时间邻居来描述短期时间依赖性；时间邻居是在前一个时间窗口中出现的与目标节点相同的节点。然后利用注意机制学习目标节点的空间异质性以及从时间邻居到目标节点的短期特征演化。此外，它使用Transformer中的自关注机制来学习用户节点跨不同时间窗口的长期特征演变。此外，ATHITD还可以关注恶意活动发生的时间窗口，帮助安全人员分析突出显示的时间窗口内潜在的恶意活动。在公共数据集CERT和LANL上的大量实验表明，ATHITD学习的长、短时时空节点嵌入可以有效地用于识别恶意内部人员。ATHITD在CERT和LANL数据集上的F1得分分别为0.96和0.97，优于现有最先进的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

ATHITD: Attention-based temporal heterogeneous graph neural network for insider threat detection

Insider threats can lead to data leakage and system crashes within an organization, seriously compromising the security of information systems. Most existing detection methods focus on analyzing user behavior sequences or constructing user relationship networks based on behavior feature similarities between users to uncover malicious insiders. However, these methods ignore the association between users and entities (e.g., files, processes, PCs, websites, and removable devices) and the evolution of user behavior patterns over time. This paper proposes an attention-based temporal heterogeneous graph neural network for insider threat detection (ATHITD) to address these issues. Firstly, ATHITD constructs sequences of temporal heterogeneous graphs from various logs based on the specified time window to depict the evolving and complex relationships between users and entities. Secondly, it introduces temporal neighbors for target nodes within each time window to describe short-term temporal dependencies. Temporal neighbors are nodes identical to the target nodes and appeared in the previous time windows. It then employs the attention mechanism to learn the spatial heterogeneity of target nodes and the short-term feature evolution from temporal neighbors to target nodes. Additionally, it uses the self-attention mechanism in Transformer to learn the long-term feature evolution of user nodes across various time windows. Furthermore, ATHITD can focus on the time windows in which malicious activities occur, helping security personnel analyze potential malicious activities in the highlighted time windows. Extensive experiments on the public datasets CERT and LANL demonstrate that the long and short-term spatio-temporal node embeddings learned by ATHITD can be effectively used to identify malicious insiders. ATHITD achieves F1 scores of 0.96 and 0.97 on the CERT and LANL datasets, respectively, outperforming existing state-of-the-art methods.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.