内部威胁分析与防御综述  

作　　者：孙德刚 刘美辰[1,2] 李梅梅 王旭 石志鑫[1,2] 刘鹏程 李楠 SUN Degang;LIU Meichen;LI Meimei;WANG Xu;SHI Zhixin;LIU Pengcheng;LI Nan(School of Cyberspace Security,University of Chinese Academy of Sciences,Beijing 100049,China;Institute of Information Engineering,Chinese Academy of Sciences,Beijing 100093,China;School of Computer and Information Technology,Beijing Jiaotong University,Beijing 100044,China)

机构地区：[1]中国科学院大学网络空间安全学院,北京100049 [2]中国科学院信息工程研究所,北京100093 [3]北京交通大学计算机与信息技术学院,北京100044

出　　处：《信息安全学报》2025年第1期176-193,共18页Journal of Cyber Security

基　　金：国家重点研发计划课题(No.2018YFF01014303);中国科学院C类战略性先导科技专项(No.XDC02040300)资助。

摘　　要：内部威胁攻击是由可信的内部人员发起的,相比较外部威胁更具有透明性、隐蔽性和高危性,是当今最具有挑战的网络安全问题之一,因此需要十分重视且关注该领域的研究成果和发展趋势。本文对内部威胁研究范畴内的成果进行了概述,并使用扎根理论的方法进行严格的文献归纳和分析,通过全景视图下的内部威胁系统性研究,帮助组织减轻和消除内部威胁事件并根据自身实际情况快速制定防御方案。本文的研究对内部威胁领域有重要意义,因为它(1)概括了内部威胁的研究范畴,包含定义与分类、数据集分析、事件分析、威慑、缓解和预防、检测、响应七个方面,旨在建立内部威胁的研究框架,该框架遵循从事件到解决方案的方向描绘了内部威胁研究的工作流;(2)从定义与分类、数据集以及事件的角度对内部威胁进行了全面的分析,提出了针对内部威胁的结构化分析与分类方法,将威胁事件的重要特征维持一个易于维护和清晰的状态,便于扩展、整合以及修改;(3)基于内部威胁分析提出一个包含威慑、预防/缓解、检测和响应的分步防御框架,该框架概括了用户行为、心理和犯罪学对于事件的影响,并对防御框架内每一步包含的方法进行归纳分析;(4)通过分析内部威胁案例和当前研究进展,讨论现有研究的不足并从数据集、事件分析、防御三个方面展望进一步的研究方向。Insider threat is initiated by trusted internal personnel.Which is more transparent,covert,and high-risk than external threat.It is a challenging cyber security issue,therefore we should pay more attention to the insider threat’s current research findings and evolution trends.In this paper,we study the research category of insider threat and use grounded theory for rigorous literature review and analysis.Through the systematic study of insider threats in the panoramic view,we aim to help organizations obtain a panoptic view on this disparate topic and thereby quickly develop solutions according to their actual situation.This paper presents a novel insider threat survey of great significance to the field of insider threat.The main contributions of this survey can be summarized as follows.(1)It summarizes the research scope of insider threat,aiming at establishing the framework of this research.The research scope includes seven aspects:definition and classification,data set analysis,event analysis,deterrence,mitigation and prevention,detection and response.The framework describes the workflow of insider threat research,following the direction from event to solution.(2)It makes a comprehensive analysis of insider threats from the definition and classification,data sets and events,and proposes a practical and unified taxonomy.This method makes the important characteristics of threat events easy to maintain and keep a clear state,and makes it easy to expand,integrate and modify.(3)It proposes a step-by-step defense framework including deterrence,prevention/mitigation,detection,and response,it summarizes the impact of user behavior,psychology,and criminology on events,and then summarizes and analyzes the research results.(4)It analyzes the insider threat cases and current research progress,then discusses the deficiency of existing research and proposes further research directions from three aspects:data set,event analysis,and defense.

关 键 词：网络安全 内部威胁 分析与防御 文献归纳 结构化分类 综述 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]