Insider Detection by Analyzing Process Behaviors of File Access

Information security is a great challenge for most organizations in today’s information world, especially the insider problem. With the help of malwares, insiders can search and steal valuable files easily and safely in an organization’s network. In this paper, we collect a dataset of file access behaviors for normal processes and malware processes. We analyze the dataset and find several features in which normal processes and malware processes show significant differences, a file access behavior model is given based on these features, and we apply both semi-supervised and unsupervised approaches to verify the effectiveness of our model, experimental results demonstrate that our model is effective in distinguishing between file access behaviors of normal processes and malware processes.