The Study Of The Insider Threat Detection Model Based On Operation Net

With the rapid development of information technology, more and more enterprises have introduced the information administration systems based on computer network. Although the introduction of information system enhanced work efficiency of enterprises, it also inevitably brought security problems. At the early stage of research, security requests to information system are mainly concentrating on defending outside invasion, and researchers have already made some achievement in this aspect. As for the insider threats, which come from the enterprise itself, although more and more attention has paid to it, the research and development of detecting instruments are still at its initiative stage.The present studies about insider threat focused on the assessment of insider threat, which is a relatively undiscovered region, either in China or in foreign countries. The main target is to put forward a kind of viable examination method, and to make use of this method in designing and realizing the insider threat detection system.Firstly, we deeply analyzes the present status and the extent of harm. Secondly, we defined the meaning of insiders and insider operation behaviors. All these had provided the basis for detecting the insider threat. And we also made study on the classification of insider threats, and discussed the characteristics of each insider threat category in detail in order to provide better mastering and detection of the insider threat.This article has mostly contributed to the concept of user operation net, which was used to depict the insider operation for the system using a net structure, and offered a minimal user operation chain for the user. Finally,we designed and implemented a detective model based on the user operation net, using this model, the existence of insider threats could be detected by analyzing the discrepancy between user operation track and the minimal user operation chain. The malicious threats and the misused threats can be easily distinguished by particularly bringing in the user's minimal user operation chain. Experiments have confirmed the feasibility of this detecting model.