内部威胁发现检测方法研究综述  被引量：1

作　　者：郭世泽 张磊 潘雨 陶蔚 白玮 郑奇斌 刘艺 潘志松 GUO Shize;ZHANG Lei;PAN Yu;TAO Wei;BAI Wei;ZHENG Qibin;LIU Yi;PAN Zhisong(Command and Control Engineering College,Army Engineering University of PLA,Nanjing 210007,China;Evaluation Center,Academy of Military Science,Beijing 100091,China;Advanced Institute of Big Data,Beijing 100091,China;Defense Innovation Institute,Academy of Military Science,Beijing 100010,China)

机构地区：[1]陆军工程大学指挥控制工程学院,南京210007 [2]军事科学院战略评估咨询中心,北京100091 [3]北京大数据先进技术研究院,北京100091 [4]军事科学院国防科技创新研究院,北京100010

出　　处：《数据采集与处理》2022年第3期488-501,共14页Journal of Data Acquisition and Processing

基　　金：国家自然科学基金面上项目(62076251);国家重点研发计划(2017YFB0802801)。

摘　　要：组织内部网络不仅面临着外部攻击者的威胁,同时也面临以破坏组织网络结构、内部信息资料窃取以及各种诈骗手段为主的内部威胁。内部威胁因为其多元化、伪装性强等特点,对组织机构内部造成了严重影响,因此对于内部威胁发现检测方法的研究变得非常有必要。本文首先对内部威胁进行了描述,重点针对内部威胁发现检测方法的现实意义进行了论述。同时将现有的内部威胁发现检测方法分为3类:基于异常行为的检测方法、基于审计日志异常的检测方法和其他检测方法,分别介绍了现有3类方法的研究现状,并对它们的研究进展进行了总结、归纳和分析。最后对内部威胁发现检测方法的未来研究方向进行了展望。The internal network of the organization is not only faced with the threat of external attackers,but also faced with the insider threat including destruction of the organization network structure,internal information theft and various means of fraud.Because of the characteristics of concealment,destructiveness and diversification of attack methods,the insider threat poses a serious threat to the internal network.Therefore,it is very necessary to study the detection methods of insider threat.This paper analyzes the characteristics of insider threat and expounds the significance of studying the detection methods of insider threat.The existing insider threat detection methods are divided into three categories,namely,detection methods based on abnormal behavior,detection methods based on abnormal audit diary,and other detection methods.The current research status of each aspect is introduced respectively,and the progress of the research status of each aspect is summarized and analyzed.At last,the future research direction of insider threat detection methods is prospected.

关 键 词：内部威胁 发现检测 异常行为 审计日志异常 

分 类 号：TP181[自动化与计算机技术—控制理论与控制工程]