摘要
针对企业信息系统中的内部威胁行为,特别是内部用户的资源滥用行为,提出了一种基于Agent的实时检测框架,通过比较用户身份权限和异常操作行为发现恶意内部威胁行为.该框架有数据采集模块、检测模块、审计模块和响应模块构成.从身份认证、访问控制、操作审计和漏洞检测四个方面对检测系统进行功能说明,并就关键技术给出了详细介绍.应用实例证明该检测框架实现了用户实名登录、行为检测与事后审计,从根本上防止了恶意内部人员获取非法数据并提供响应和干预能力,提高了信息系统的安全性.最后,总结了内部威胁检测技术发展趋势.
In view of the internal threat behavior in enterprise information system, especially the abuse of internal user resource, we propose a real-time detection framework based on Agent, which can find malicious insider threat behavior by comparing identify permissions and abnormal operation behavior. The framework is composed of data acquisition module, detection module, audit module and response module. From 4 aspects of identity authentication, access control, operation audit and vulnerability detection, the function of the detection system is described, and the key technology is introduced in detail. The application example proves that the detection framework implements the functions of user's real name login, beha~,ior detection and post audit, fundamentally prevent malicious insiders to obtain illegal data and provide response and intervention capabilities, improving the security of information system. In the end, we summarize the development trend of the internal threat detection technology.
出处
《计算机系统应用》
2017年第6期83-87,共5页
Computer Systems & Applications
基金
陕西省教育厅科研计划项目(12JK1055)
关键词
内部威胁
异常行为
身份识别
检测
insider threat
abnormal behavior
identity authentication
detect
