Research And Implementation Of Internal Network Distributed User's Behavior Audit And Abnormal Detection System

As the network expending and the structure of the network becoming complicated day after day, the information security problems have became more serious. How to keep sensitive information secure has been the important issue of social, political, economic, military and other fields. In recent years, the network attacking has transformed from outside attacking to inside attacking gradually. The internal attack has the characteristics such as general, week specific, strong hidden, and it can pass the firewall and intrusion detection system easily, and it is more difficult to prevent than the attack of external network virus and hackers. The firewall, IDS can not meet these security requirements anymore. The security audit technology has made up the lack of before two greatly, and has been the important measure of the network security.This article summarized the features of the internal network user's behavior and the abnormal behaviors, researched the correlation of user's behavior events, and summed up two kinds of correlation between behavior events(content correlation and time serial correlation), then designed analysis arithmetic of the two kinds of correlation. Then the paper designed and implemented a internal network behavior audit system which is consist of distributed data capture module, filter module, real-time data analysis module, alarm module based on distributed structure following the standard of the TCSEC, CC and GB17859-1999. The system can capture almost kinds of the operation logs such as program execution, file reading and writing, page accessing, etc. of the user at the driver layer by HOOK mechanism. The audit data is transferred to the audit center through the network, and the analysis module analyzed the data in real-time by clustering and time serial correlation method to detect the abnormal behavior (or attack behavior) data, then alarmed.The result of the test experiment in operation system and the access control module of application system (we use ERP system) indicated that the system can monitor and record the user's behavior effectively. The real-time analysis module can discover the abnormal operations effectively too.