基于用户窗口行为的内部威胁检测研究

用户在计算机上的行为直接体现在与应用窗口的交互过程中.针对内网安全问题,从应用窗口的使用角度出发,对用户行为进行研究.搭建完全自由的内网环境,采集与分析用户在应用窗口上的行为数据,提取面向异常用户检测与用户变化行为识别的行为特征.通过样本均值分布特性和K-S检验验证了不同用户使用应用窗口的行为存在显著差异,并结合欧氏距离与置信区间,构建异常行为检测算法.实验结果表明,该算法能够有效检测异常用户与识别用户变化行为,准确率分别高达97.4%和94.5%,对于内部威胁防御具有重要作用.

Research on Internal Threat Detection Based on User Window Behavior

User behavior on a computer is directly reflected in the interactions with application windows.To address intranet security issues,research on user behavior is conducted from the perspective of the use of application windows.A completely free intranet environment is built,and user behavior data on application windows is collected and analyzed.On this basis,two kinds of behavior features of the use of application windows are extracted,which solve abnormal user detection and user change behavior recognition respectively.By using the sample mean distribution features and K-S test,it is verified that there are significant differences in the behavior of different users using application windows.Then,an abnormal behavior detection algorithm is constructed by combining Euclidean distance and confidence interval.Experimental results show that the algorithm can detect abnormal users and identify changed user behavior with a high accuracy.The accuracy rates are 97.4%and 94.5%respectively,which has practical application significance for preventing internal threats.