作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2020, Vol. 46 ›› Issue (4): 135-142,150. doi: 10.19678/j.issn.1000-3428.0055801

• 网络空间安全 • 上一篇    下一篇

基于用户窗口行为的内部威胁检测研究

李志, 宋礼鹏   

  1. 中北大学 大数据学院 大数据与网络安全研究所, 太原 030051
  • 收稿日期:2019-08-23 修回日期:2019-10-08 出版日期:2020-04-15 发布日期:2019-10-18
  • 作者简介:李志(1992-),男,硕士研究生,主研方向为大数据分析、网络安全、数据挖掘;宋礼鹏,教授、博士。
  • 基金资助:
    国家自然科学基金(61772478)。

Research on Internal Threat Detection Based on User Window Behavior

LI Zhi, SONG Lipeng   

  1. Research Institute of Big Data and Network Security, School of Big Data, North University of China, Taiyuan 030051, China
  • Received:2019-08-23 Revised:2019-10-08 Online:2020-04-15 Published:2019-10-18

摘要: 用户在计算机上的行为直接体现在与应用窗口的交互过程中。针对内网安全问题,从应用窗口的使用角度出发,对用户行为进行研究。搭建完全自由的内网环境,采集与分析用户在应用窗口上的行为数据,提取面向异常用户检测与用户变化行为识别的行为特征。通过样本均值分布特性和K-S检验验证了不同用户使用应用窗口的行为存在显著差异,并结合欧氏距离与置信区间,构建异常行为检测算法。实验结果表明,该算法能够有效检测异常用户与识别用户变化行为,准确率分别高达97.4%和94.5%,对于内部威胁防御具有重要作用。

关键词: 内网安全, 应用窗口, 用户行为, 异常检测, 欧氏距离

Abstract: User behavior on a computer is directly reflected in the interactions with application windows.To address intranet security issues,research on user behavior is conducted from the perspective of the use of application windows.A completely free intranet environment is built,and user behavior data on application windows is collected and analyzed.On this basis,two kinds of behavior features of the use of application windows are extracted,which solve abnormal user detection and user change behavior recognition respectively.By using the sample mean distribution features and K-S test,it is verified that there are significant differences in the behavior of different users using application windows.Then,an abnormal behavior detection algorithm is constructed by combining Euclidean distance and confidence interval.Experimental results show that the algorithm can detect abnormal users and identify changed user behavior with a high accuracy.The accuracy rates are 97.4% and 94.5% respectively,which has practical application significance for preventing internal threats.

Key words: intranet security, application window, user behavior, abnormal detection, Euclidean distance

中图分类号: