【作者】 张锐；

【导师】 荆涛；

【作者基本信息】 北京交通大学 ， 计算机科学与技术， 2015， 硕士

【摘要】 随着信息技术的快速增长,信息系统给企业以及单位都带来了巨大的便利。与此同时,来自信息系统内部的威胁事件也越来越多。目前,网络安全防护方面针对外部威胁所做的工作已有很多,但他们在解决内部威胁这一方面却显得比较无力。内部威胁事件所带来的惨痛代价让人们开始关注针对内部威胁的解决方案。目前针对内部威胁的检测还处于理论研究阶段。本文调研了内部威胁的研究现状,总结了目前国内外针对内部威胁的理论研究成果。在研究的过程中,提出了一种对内部威胁的定义,并且总结出了内部威胁具有高危、潜伏和伪装的这三种特点。文件作为信息的载体,在内部网络环境中扮演着重要的角色,需要对它加以防护。针对内部威胁的这些特点,本文提出从文件这一角度来开展防护措施,并做了相关的调研。过去的研究往往通过建立个人行为模式或者社团行为模式检测内部威胁,但都有各自的缺点。个体行为异常检测忽略了个人兴趣转移的情况,社团行为异常检测又忽略了用户的个性特征。本文提出了基于文件访问行为的个体行为和社团行为相结合的内部威胁异常检测模型,并且分析了这一模型的工作流程。首先使用文本分类方法对文件内容进行主题分类,然后建立用户主题关系矩阵和社团主题关系矩阵,并提出了一种综合模型将用户当前行为与其历史行为的偏差和与其所属团体的行为偏差综合考虑,检测内部威胁异常。最后设计并实施了仿真实验,实验结果表明,此模型可以有效地检测内部信息系统中的文件访问异常情况。更多还原

【Abstract】 With the rapid development of information technology, enterprises and organizations are having enjoyed great convenience from the information systems. However, it is more frequently that the information leakage are made by some insiders. As is known to us, the current network protection methods are effective in preventing information leakage by outsiders, but they are ineffective in avoiding ones by insiders. Those bitter results of insider threats have forced us to develop some effective methods on resolving them.While anomaly detections on insider threat are in theory at present. This paper firstly reviews the research status of insider threat and summarizes the domestic research results of them. And then, the paper proposes a definition of insider threat and summarizes its three characteristics, which is high-risk, hidden and disguised. As the carriers of information, files play an important role in the internal network. So it is necessary to protect files. In the view of files, the paper presents a few methods with relevant investigation to prevent insider threat according to these characteristics of them. In the previous research, anomaly detections on insider threat are always using individual or community behavior models. But they of them have disadvantages:the anomaly detections on individual behavior neglect the change of individuals’interests and ones on community behavior neglect users’personalities. The paper proposes a model of anomaly detection on insider threat, which is based on the behavior of file access and is a combination of individual and community ones. And the process of the model is also analyzed in the below. At first, the model uses the text classification to classify the contents of files on subjects and sets up the correlation matrices of subjects on both individuals and communities. And then it proposes a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individuals’ current behaviors, their historical behaviors and their associated community behaviors simultaneously. In the end, the paper designs a simulation test and presents its whole process. And according to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.更多还原