발간년도 : [2022]
논문정보 |
|
논문명(한글) |
[Vol.17, No.4] BERT Masked Language Model for Insider Threat Detection |
|
논문투고자 |
Min-Hyeok Son, Sang-Joon Lee |
|
논문내용 |
The risk of insider threat is increasing due to the increase in telecommuting because of pandemics. Companies have various security solutions to reduce insider threats, but there is a limit to capturing all human behavior. To solve this problem, studies on the detection of insider threat behavior using deep learning are being actively conducted. However, two problems that attack data is very scarce due to the nature of insider threat behavior, and time and action data must be learned at the same time remain challenges. In this paper, we propose an insider threat behavior detection model using the mask language model, which is a pre-learning method of Bi-directional Encoder Representation of Transformer(BERT). We used a CERT dataset for learning and used a custom tokenizer to map the data to actions and times at 30-minute intervals. The characteristics were learned by inputting only normal data into the mask language model, and the sum of the loss values derived from normal data was calculated as a threat score, and the maximum value was set as a detection boundary for each user. After that, if the threat score that occurs when new data is put into the model exceeds the detection boundary, it was detected as an abnormal behavior. The experimental results showed that compared to existing deep learning models, the model reacted sensitively when the behavior occurred at an unusual time, and in the case of scenarios where preparation and initiation of threat behavior were separated, appropriate detection performance was considered. As a result, the unbalanced dataset which was a challenge of detecting insider threat behavior could use the large amount of normal data as an advantage. And unlike the existing LSTM derivatives, sufficiently detailed time data can be mapped to behavior and used for learning. |
|
첨부논문 |
|
|
|
|
|