Research On Insider Threat Detection Based On Cross-Domain Behavior Analysis

As the growing number of insider attacks in recent years,industries and governments gradually attach importance to insider threat,which seems new but actually exists for a long time.Insider threats are more dangerous than outsider threats because malicious insiders have or had been authorized access to an organization information system and intentionally exceed or misuse their privilege in a manner that seriously damages the confidentiality,integrity or availability of an information system.So,the research on insider threat detection becomes extremely important.The recently existing insider threat detection methods mainly focus on integrating anomaly alters from each single-domain,this kind of method cannot simultaneously analyze user behavior in all detection domain.The method merely based on cross-domain behavior analysis does not take account of the error caused by the reasonable changes of user behavior under special circumstances.These problems lead to low detection accuracy.In view of the deficiency of the recently existing insider threat detection methods,this thesis mainly researches on insider threat detection,the main research contents and contributions will be listed as follows:Firstly,a novel method of insider threat detection is proposed in this thesis,this method not only analyzes user cross-domain behavior but also combines with user background information to detect insider attack behavior comprehensively.Moreover,this method can analyze user behavior in all detection domains simultaneously and tolerate reasonable deviations of user behavior caused by unexpected events effectively,so it can improve the accuracy of insider threat detection.In the experiment,we use the method proposed in this thesis to analyze user behavior data and background data in five detection domains,and the experimental results showed that our method is superior to the typical method based on single-domain detection results and the method based on single cross-domain behavior analysis.Secondly,the importance of the features that result in user behavior anomalies is measured based on the insider threat detection results,which provides a reference for enterprises and organizations to prevent insider threats or assign behavior features weights during the new round of insider threat detection.