金融系统的安全是经济活动平稳运行和发展的基础，然而金融系统往往面临着各种风险和威胁，因此准确地识别和防范风险隐患是保证金融安全的重要基础。随着信息系统在金融领域的广泛应用和快速发展，金融企业也面临着日趋严重的信息科技风险，尤其是企业内部人员有意无意造成的风险一直被认为是信息系统最大的安全隐患。为此，监管部门推出法律法规指引并规范风险防范机制，金融机构依据自身特点编制安全策略并建立对应的风险检测机制来防范各类威胁和风险。即便如此，如何有效地利用安全策略来检测并防范已知威胁，更重要的如何准确地检测未知风险仍然是企业防范内部风险所面临的重大挑战。
       为了应对这些挑战，本文提出了内部人员异常行为检测分析的框架。其核心思想是从规章制度的行为规范条款和人员行为记录体现的行为模式中提取异常行为的判定基准，通过复杂事件来表示企业内部人员的行为并建立人员正常行为与异常行为的表示模型，通过计算机与风险控制业务人员的交互协作，分析内部人员的行为规律，进行人机协同的异常行为检测分析。在此基础上完成对内部人员异常行为的风险识别与评估，形成行为检测和安全策略的良性反馈机制。本文的重点是内部人员异常行为检测分析与示范应用。
       首先，本文提出了内部人员异常行为判定基准的规则表示：将知识层面的规章制度中反映人员行为规范的条款表示为合规规则并通过逻辑运算转化表示为违反安全策略的违规行为；将事实层面的人员行为记录中反映人员正常行为的行为模式表示为行为规律并转化表示为与之不符的偏差行为。
       其次，结合内部人员异常行为判定基准的规则表示，本文应用复杂事件处理的表示方法，提出了内部人员行为的表示模型：将内部人员的某个具体活动表示为基本事件，针对规章制度中的行为规范条款，由业务人员理解行为规范并建立满足其条款的合规规则并转化表示为违规行为表示；针对行为记录中体现的正常行为模式，利用数据挖掘算法从内部人员行为的历史记录中挖掘正常的行为规律并转化表示为与之不符的偏差行为。
       然后，针对这两类异常行为的判定基准，使用规则引擎来检测内部人员的行为是否违反行为规范，实现对已知异常行为的检测；通过数据挖掘算法来对比对新产生的内部人员行为记录是否与正常的行为模式不符，识别与正常行为规律偏离的， 可能是未知异常的行为。
       此外，为了进一步提高对未知异常识别的准确性，本文提出了人机协同的异常行为检测框架：通过收集业务人员对未知异常识别过程中数据挖掘结果的评估，建立针对未知异常识别的评估模型，通过评估信息持续调整优化数据挖掘算法配置，提高未知异常的识别效率。
       最后，设计开发了一个内部人员异常行为检测分析应用原型系统，集成了基于复杂事件的内部人员行为表示、复杂事件检测与处理、交互式反馈与可视化分析等关键技术。该应用系统在某商业银行数据中心进行了验证和示范应用，在实际的金融生产活动中取得了明显的效果。

  The safety of the financial system is the basis for the stable development of the economy. However, it is often exposed to various risks and threats. Therefore, it is an important basis for the financial industry to accurately identify and prevent risks as well as hidden dangers.
  With the widespread application and rapid development of information systems in the financial industry, financial institutions are also facing increasingly serious information technology risks, especially the risks caused by staff intentionally or unintentionally, which have always been considered as one of the major security vulnerabilities of the information systems. To this end, supervision authorities have been promoting laws, regulations, and guidelines to optimize the risk prevention mechanisms, and financial institutions have been formulating security policies and established corresponding risk detection mechanisms based on their businesses to prevent such risks and threats. However, it is still a major challenge for financial institutions to effectively detect and prevent known threats and more importantly unknown risks with valid security policies.
  To address these challenges, this dissertation proposes a framework for the detection of staff abnormal behavior in the financial information system. The key idea is to extract baselines for determining abnormal behavior from the code of behavior in security policies and behavior patterns embodied in behavior records, represent the normal and abnormal behavior of the staff through complex events, and to mine the behavior rules of their behavior through human-computer interaction and collaboration between the computer and the risk control officer. On this basis, the computer system can realize the risk identification and evaluation of abnormal behaviors and form interactive feedback of the detected behavior and the security policy. This dissertation focuses on the detection, analysis, and demonstration application of staff abnormal behavior in the financial industry.
  First of all, we propose a rule-based representation of the baseline for determining abnormal behavior of staff: at the knowledge-level, the provisions in security policies that reflect the norms of behavior are represented as compliance rules and  transformed into violations of security policies, At the factual level, the normal behavior pattern of staff reflected in the record of their behavior is expressed as a behavior rule and transformed into a deviant behavior that does not conform to it.
  Secondly, combining the rule representation of the baseline for determining abnormal behavior of staff, we apply the representation method of complex events processing and proposes a representation model of staff behavior for financial institutions: a specific activity is represented as a primitive event, for the code of behavior in security policies, the risk control officer understand the code of behavior and establish compliance rules that meet its provisions and convert it into a violation representation, for the normal behavior patterns embodied in behavior records, data mining algorithms are used to mine the normal behavior patterns from the historical records of staff and convert them into deviant behavior that does not conform to them.
  Then, based on the two types of abnormal behavior baselines, a rule engine is used to detect whether the behavior of staff violates the code of behavior, and realize the detection of known abnormalities, some classical data mining algorithms are used to compare the newly generated records of behavior with the normal behavior patterns and identify deviations from the normal behavior patterns that may be unknown abnormalities.
  In addition, to further improve the accuracy of the identification of the unknown anomaly, we put an interactive approach for unknown anomaly identification based on the experience of the risk control officer: through collecting assessment opinions of the risk control officer in the process of unknown risk identification, a feedback model for unknown anomaly identification can be established, and we can continuously optimize the configuration of the data mining algorithm and improve the efficiency of anomaly identification.
  Finally, design and develop a staff anomaly detection prototype system that consists of some key technologies such as complex event-based behavior representation, complex event detection and processing, interactive feedback, and visual analysis. The application system has been verified and demonstrated in a commercial bank's data center and achieved expected results in actual business practices.