Feature engineering method using double-layer hidden markov model for insider threat detection

Abstract

In the past, most Hidden Markov models based on time series only used the original HMM model. The single-layer models (HMMs) structure has a big problem, and it isn't straightforward to play its due role when it is necessary to make fine adjustments to the scene. So it was impossible to entirely and flexibly perform user behavior. This paper performs feature extraction and analysis of user behavior data of time series. The data labels should be added after the parameters obtained by statistical methods for clustering to obtain the first hidden state, and the layers are further layered according to working hours and outside working hours. The experimental results show that the method has strong applicability and flexibility, and can quickly detect abnormal behavior.