Internal Threat Detection Framework Based On Multi-feature User Portrait

With the development of Internet,the demand for information system for organization management and business development is increasing day by day,and the hidden danger of internal threats is increasing.In recent years,researchers have studied internal threats from many aspects and from different angles,and made many achievements in theoretical framework and detection methods.However,due to the isolated analysis of user behavior characteristics and the neglect of internal characteristics,as well as the neglect of detailed information in the behavior text,the real purpose,internal intention and subjective factors of the user cannot be found.Furthermore,the inefficient use of user's multi-domain behavior characteristics leads to the low efficiency of internal threat detection.This paper comprehensively analyzes the internal characteristics of users,the behavior characteristics of each domain of business operations,the detailed content and the behavior sequence between behaviors,and provides methods and ideas for the organization to detect the malicious behavior of users.At the same time,in order to extract the overall picture of user information from the massive user data,the user portrait technology emerges at the historic moment,and comprehensively and meticulously depicts the users within the organization from the perspectives of the internal characteristics of users and the behavior attributes of users.On the basis of previous research,the following achievements have been made.1.By studying the internal characteristics of employees,such as their personality characteristics,past experience,work attitude,and psychological characteristics,the organic integration of users' abilities,emotions,values and habitual behaviors,the big five personality values is obtained,and the internal attribute portrait of users describing static characteristics is formed.K-means based on the elbow method clusters users' personality characteristics and integrates "high-risk" users who are highly similar to the malicious users' internal attributes.In the practice of internal threat detection,strengthening the supervision of "high risk" users can reduce the probability of employees carrying out malicious behaviors.2.The integration of user's multi-domain behavior and the modeling of the characteristics of user's multi-domain behavior and the sequence relationship between the behaviors by using the optimized SVM improved the accuracy of internal threat detection and reduced the rate of false positives.The user behavior attribute portrait which reflects the user's business logic and behavior habit is formed,which provides a strong basis for judging the abnormal behavior of the user.The text details of url information,file information and mail content information in user operation were studied.The improved DF-IDF algorithm was used to traverse the details.According to DF value,IDF value,position weight pi and part of speech weight ci,it was integrated into c-p-tf-idf value.Increased sensitivity to specific words in behavioral details and significantly reduced the risk of internal threats.