Research On Anomaly Detection Model Of Insider Threat Based On Document Access Behavior

With the rapid development of information technology, enterprises and organizations are having enjoyed great convenience from the information systems. However, it is more frequently that the information leakage are made by some insiders. As is known to us, the current network protection methods are effective in preventing information leakage by outsiders, but they are ineffective in avoiding ones by insiders. Those bitter results of insider threats have forced us to develop some effective methods on resolving them.While anomaly detections on insider threat are in theory at present. This paper firstly reviews the research status of insider threat and summarizes the domestic research results of them. And then, the paper proposes a definition of insider threat and summarizes its three characteristics, which is high-risk, hidden and disguised. As the carriers of information, files play an important role in the internal network. So it is necessary to protect files. In the view of files, the paper presents a few methods with relevant investigation to prevent insider threat according to these characteristics of them. In the previous research, anomaly detections on insider threat are always using individual or community behavior models. But they of them have disadvantages:the anomaly detections on individual behavior neglect the change of individuals’interests and ones on community behavior neglect users’personalities. The paper proposes a model of anomaly detection on insider threat, which is based on the behavior of file access and is a combination of individual and community ones. And the process of the model is also analyzed in the below. At first, the model uses the text classification to classify the contents of files on subjects and sets up the correlation matrices of subjects on both individuals and communities. And then it proposes a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individuals’ current behaviors, their historical behaviors and their associated community behaviors simultaneously. In the end, the paper designs a simulation test and presents its whole process. And according to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.