用户异常行为分析方法研究与应用

为了应对高级持续性威胁（APT）攻击造成的威胁，解决传统基于规则的分析方法对用户异常行为检测的误报与漏报问题，提高用户异常行为检测效果，通过采集用户行为日志生成用户操作行为矩阵，并通过模型定义方式对用户行为进行相似度分析。采用容忍度测算、突变测算、差值测算与峰值测算方法，分析与发现用户异常访问。基于用户画像的异常行为分析方法结合了用户操作行为特征及角色定义，利用用户行为日志历史信息勾勒出用户行为画像，使系统能准确、实时地判断用户行为异常，提高了对异常行为的实时检测与快速响应能力。

Research and Application of User Abnormal Behavior Analysis Method

In order to deal with the threat caused by high-level persistent threat attack， the traditional rule-based analysis method is used to solve the false alarm and missed alarm of user abnormal behavior detection， and improve the detection effect of user abnormal behavior. User behavior matrix is generated by collecting user behavior log， and similarity analysis of user behavior is done by model definition. Tolerance measure method， mutation measure method， difference measure method and peak value measure method are collected. Users' abnormal access is analyzed and found by common use. The abnormal behavior analysis method based on user portrait is combined with user operation behavior characteristics and role definition， and the user behavior portrait is outlined by using user behavior log history information. The system can judge user behavior abnormality in real-time and improve the ability of real-time detection and rapid response to abnormal behavior.