Research On Internal Threat Detection Based On User Window Behavior

The internal attack that causes the destruction and theft of internal assets is initiated by internal employees.The common defense way of internal attack is identity authentication technology,which can not continuously and effectively authenticate the legitimacy of internal users.Therefore,the continuous authentication method based on biological characteristics has gradually become a research hotspot and effectively remedied the defects of traditional identity authentication technology.But when the real users of the computer operate maliciously,the above authentication technology will lose its defensive function.In order to avoid the destruction or theft of resource files,some researchers proposed to study the access behavior of file system,but only from the perspective of file system defense can not fully protect the internal assets,so this paper comprehensively studies the user's operation behavior of assets from the behavior mode of interaction between user and computer application window.The main research work and innovations are as follows:(1)For the first time,this paper studies user behavior from the perspective of using computer application window.The real experimental environment is built,and the terminal behavioral data collector is developed to collect the user's behavioral data using the application window.After data cleaning,300000 pieces of interactive data are finally obtained as the experimental data set.(2)This paper proposes a set of features that can effectively represent the user's application window use behavior,maps the measurement data of user's behavior into the feature matrix space,and constructs the user's application window use behavior pattern.With the help of sample mean and its sampling distribution theorem and K-S test,a difference detection algorithm is constructed.Experiments show that the algorithm can effectively detect the difference of user behavior and the unity of user behavior.(3)Aiming at the problem of abnormal user detection and user change behavior recognition,a behavior deviation quantification method is proposed by combining Euclidean distance and confidence interval.Based on the difference detection algorithm,the abnormal behavior detection algorithm is constructed.Experimental results show that the algorithm can detect abnormal users with high accuracy and identify the changing behavior of users,which has a high practical value in defending against asset damage and theft caused by internal attacks.(4)In this paper,we analyze the influence of the time of user window activity on the accuracy of the algorithm.The experiment shows that the longer the time of user window activity is,the more complete the established behavior mode is,and the more accurate the detection is.