Research On Detection Of Resources Abusing Behavior Based On Abnormal Probability And Hidden Markov Model

With the development and popularization of Internet, the depth and breadth of thecommunication of social information is in the gradual progress, which is followed by therapid-increased computer crime cases. The national confidential information is facing greatchallenges. Therefore, the research on computer network security and internal staffresources abusing is becoming a hot spot in this field.First of all, this paper makes a conceptual description of internal users and theirbehavior trajectory, and also specifies the behavior content that should be collected in theexperiment, which has paved the way for the later experimental data acquisition. Besides,we make an elaborate description of the role-based internal threat detection model,including its model characterization, working principle and performance analysis.Secondly, the hidden Markov model is presented in great details, focusing on theclassic three basic questions of hidden Markov model. In different scenarios, the solutionsof these three basic questions are different. This is the critical point to apply this model topractice reasonably, as well as the theoretical basis of the algorithm presented in thispaper.Personnel resources abusing behavior, as a type of information systems internalsecurity threats, is of high danger. This kind of behavior is very concealing because it isconducted by the internal staff who has lawful authority to use the resources. The existingtechnologies can not either be able to meet the requirements on the detection accuracy ofsuch actions, or detect new resources abusing behavior. Therefore, we propose aninternal staff resources abusing detection method which is based on hidden Markovmodels, considering the document of information system as the model state and the internal user transaction processing operations as the observation symbols; analyzing thedetecting process on the abuse of resources by this model from a practical point of view.Experimental results show that it can improve the hit rate and reduce the false alarm rateby the internal staff access behavior control mechanisms established based on this modelto detect the resource abusing behavior to a certain extent.