Improved Detection of User Malicious Behavior through Log Mining based on IHMM

In the intelligence community, the presence of malicious insiders poses a severe threat to information security and any decision relying on such information. In this paper, we propose a novel methodology that detects malicious people who attempt to destroy internal security through a certain malicious operation. This detection method relies on each user's working style, which we assume to be consistent from task to task. No matter security audit, intrusion detection or other abnormal behavior mining, it is static. Most of them use pattern matching and rely on average ratios, which not only neglect the characteristics of network but also cannot show the entire process dynamically. The internal rules of many network operations are cryptic, and the frequency of them in different time periods are different. If the frequency, measured by each index of one certain period, is directly used to measure that of the other periods, the result is likely to be inaccurate. Many documents believed that the network behavior data has the continuity and regularity in time, which can be described as a set of time-varying discrete data sequences. Therefore, we use the improved Hidden Markov Model(IHMM) to construct dynamic transformation of network behavior. After sets of off-line sample data are used to identify abnormal behaviors and normal behaviors, the algorithm has a higher correct rate, and the overall audit system has better performance.