Research On User Behavior Monitoring And Analysis Forensics Method For 64 Bit Windows

With the rapid development of computer network and office automation,hidden dangers of information security also follow.Although the security protection for the outside of the system has been continuously enhanced,in the face of the active leaking behavior of internal personnel,only relying on static security policies is still unable to achieve timely protection and analysis of forensics.At the same time,64-bit Windows has replaced the 32-bit version as the mainstream productivity environment,which also has higher requirements for the stability of the monitoring driver.How to monitor user behavior and conduct dynamic analysis has become one of the hotspots of modern information security.Firstly,it expounds the seriousness and universality of intranet data leakage,analyzes the research status of behavior monitoring and analysis of 64-bit Windows platform at home and abroad,and finds that they have the problems of imperfect behavior monitoring methods and lagging behavior analysis.Therefore,on the basis of analyzing the principle of user behavior monitoring in 64-bit environment,a monitoring model that applies anomaly detection method to information security system is proposed.Secondly,adopting the idea of layers,a user behavior monitoring and analysis model is designed,which includes a kernel driver layer,a collaborative communication layer,a behavior analysis layer and a management and control layer.The kernel driver layer is responsible for monitoring the operation behavior of user processes,web pages and files,and ensures stable operation in a 64-bit environment;the collaborative communication layer is responsible for real-time uploading of behavior information and issuing monitoring strategies;the behavior analysis layer uses machine learning algorithms based on the collected behavior information Establish user behavior baselines and detect abnormal behaviors that deviate from the baselines;the management and control layer implements visual monitoring and auditing of behaviors.Thirdly,in the behavior analysis layer,aiming at the problem that the behavioral baseline established by the isolated forest cannot adapt to the new behavioral data,an update scheme is designed to periodically read the recent data and retrain the isolated forest,so that the behavioral baseline can be kept updated with the recent behavioral data.Finally,an experimental environment of 64-bit Windows monitoring equipment and management and control platform is deployed to test the model.The functions of the kernel driver layer for monitoring process,web page and file behavior,the real-time anomaly detection in the behavior analysis layer,and the behavior visualization audit in the management and control layer are verified through experiments,which shows the feasibility of the model.The performance tests were performed on the client and the server respectively,which showed that the system occupied CPU,memory and other resources within the acceptable range,indicating the efficiency of the model.