The main purpose of this study is to effectively detect file-based insider threat behavior processes in the complex security environment and frequent insider threat behavior. We propose a method of calculating the threat score using the existing user-...
The main purpose of this study is to effectively detect file-based insider threat behavior processes in the complex security environment and frequent insider threat behavior. We propose a method of calculating the threat score using the existing user-specific process usage rate and sandbox dynamic analysis data collected for the detection of insider threat behavior processes. When the quantitative performance verification results and the proposed model were applied, it was confirmed that the undetected rate for each scenario decreased by up to 82.24%, 55.06%, 45.02% and 54.05% respectively, compared to the existing system environment, and the effect was demonstrated. This model shows the possibility of increasing the detection rate of internal threat behavior by utilizing the process usage rate, which is the existing system data, and it is expected that the components can be used in an environment suitable for internal threat detection such as Zero Trust.