引用本文
  • 宋书发,马琳茹,虞红芳,胡鑫鑫.内部威胁:系统性分析与防御检测综述[J].信息安全学报,已采用    [点击复制]
  • songshufa,malinru,yuhongfang,huxinxin.Insider Threat : A Survey on Systematic Analysis and De-fense Detection[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 70次   下载 0  
内部威胁:系统性分析与防御检测综述
宋书发1, 马琳茹2, 虞红芳1, 胡鑫鑫2
0
(1.电子科技大学,信息与通信工程学院;2.中国人民解放军军事科学院,系统工程研究院)
摘要:
近年来,随着社会数字化转型的快速发展,企业和组织中的网络内部威胁问题日益突出。为了有效解决内部威胁问题,对内部威胁问题进行深层次的剖析,本文系统化分析了内部威胁相关工作,从威胁特征、防御措施和检测方法等多个维度对内部威胁进行了全面分析,旨在为研究者提供一个清晰的视角,并以此为基础设计出更加有效合理的内部威胁防御和检测方案。首先,文章描述了内部威胁的背景和意义,总结了内部人员的不同类别及其各自的特性。同时,基于对内部威胁问题的理解,本文总结出了威胁特征框架和多阶段的防御检测框架。其中,威胁特征框架主要包含了威胁动机、人员特征、威胁攻击特征和组织特征在内的多维特征。防御检测框架涵盖了威胁意图产生阶段、威胁行为生成阶段和威胁检测和响应阶段三个主要阶段,分别包含了行为意图的观测和威慑措施、缓解和预防威胁行为产生的相关措施以及识别评估和消除潜在的内部威胁。在威胁检测和响应阶段中,本文基于检测思路和算法模型两大类介绍了现有的检测方法,并在算法模型中重点介绍了基于图的检测方法。本文还结合其他的安全领域方法分析了威胁狩猎的主动检测方法,为内部威胁检测补充了新的视角,并总结归纳了现有的一些内部威胁检测所使用的数据集和评估指标。最后,文章讨论了当前解决方案中的挑战和限制,并提出了未来研究的潜在方向。
关键词:  内部威胁  特征框架  防御检测框架  威胁狩猎  主动检测
DOI:
投稿时间:2024-05-27修订日期:2025-03-08
基金项目:
Insider Threat : A Survey on Systematic Analysis and De-fense Detection
songshufa1, malinru2, yuhongfang1, huxinxin2
(1.School of Information and Communication Engineering, University of Electronic Science and Technology;2.Institute of Systems Engineering, Academy of Military Sciences)
Abstract:
In recent years, with the rapid development of the digital transformation of society, the problem of network insider threat in enterprises and organizations has become increasingly prominent. In order to effectively solve the problem of insider threat, this paper provides a deep analysis of the insider threat problem, systematically analyzes the work related to insider threat, and comprehensively analyzes the insider threat from multiple dimensions such as threat characteris-tics, defense measures, and detection methods, etc., aiming at providing researchers with a clear perspective, and de-signing more effective and reasonable insider threat defense and detection schemes on the basis of this. First, the paper describes the background and significance of insider threat, and summarizes the different categories of insiders and their respective characteristics. Meanwhile, based on the understanding of the insider threat problem, this paper sum-marizes the threat characteristic framework and the multi-stage defense detection framework. The threat characteristics framework mainly contains multidimensional characteristics including threat motivation, insider characteristics, threat attack characteristics and organizational characteristics. The defense detection framework covers three main phases: the threat intent generation phase, the threat behavior generation phase, and the threat detection and response phase, which contain observation and deterrence measures for behavioral intent, relevant measures to mitigate and prevent the gen-eration of threat behaviors, and the identification, assessment, and elimination of potential insider threats, respectively. In the threat detection and response phase, this paper introduces existing detection methods based on two main cate-gories: detection ideas and algorithmic models, and focuses on graph-based detection methods in the algorithmic model. This paper also analyzes proactive detection methods for threat hunting in combination with other security domain methods, adds new perspectives for insider threat detection, and summarizes the datasets and evaluation metrics used in some existing insider threat detection. Finally, the paper discusses the challenges and limitations in current solutions and suggests potential directions for future research.
Key words:  insider threat  characteristic framework  defense detection framework  threat hunting  proactive detection