System for detecting abnormal behavior by analyzing personalized initial use behavior pattern

What is claimed is: 1 . An abnormal behavior detection system for detecting an abnormal use behavior of a user in bring your own device (BYOD) and smart work environments, the system is configured to comprise: a context information reception unit configured to receive a variety of types of context information from a context information collection system; a context information processing unit configured to generate a corresponding detection request message when context information about “web service use” is received and transfer the corresponding detection request message to an abnormal detection unit; an abnormal detection unit configured to compare sequence of a use page and use speed, performed right after user access, with a pattern in past access through an analysis of an initial use behavior pattern when the detection request message is received and to detect an abnormal use behavior; a profile management unit configured to profile pieces of context information according to various use behaviors of the user and store and manage the pieces of profiled context information; and an information analysis unit configured to analyze web site or DB use information based on the pieces of received context information. 2 . The abnormal behavior detection system of claim 1 , wherein the abnormal detection unit is configured to comprise: a detection request classification module configured to sort received detection request messages and transfer the sorted detection request messages to analysis units of the abnormal behavior analysis module; an abnormal behavior analysis module configured to analyze whether the web service use is normal by performing a “service page use sequence similarity comparison” and a “user speed comparison” through an initial use behavior pattern analysis procedure; and an abnormal behavior detection module configured to generate corresponding normal or abnormal detection result information when a result of the analysis of the abnormal behavior analysis module is stored and to transfer the corresponding normal or abnormal detection result information to the control system. 3 . The abnormal behavior detection system of claim 1 , wherein the abnormal behavior analysis module is configured to: check a service page use amount N of a current access session, determine that an initial behavior for analyzing the abnormal behavior has been sufficiently performed if the service page use amount N is greater than a reference value and perform a specific initial use behavior pattern analysis procedure, and determine whether a current use behavior of a user is an abnormal behavior by performing a “service page use sequence similarity comparison” and a “user speed comparison” through the initial use behavior pattern analysis procedure. 4 . The abnormal behavior detection system of claim 3 , wherein the initial use behavior pattern analysis procedure comprises: obtaining current-initial service page use sequence and calculating use speed; examining past-initial service page use sequence having an identical access pattern and calculating past average use speed; calculating an occurrence probability P of current-initial page sequence by calculating a similarity between the current “service page use sequence” and all the past “service page use sequences”; comparing current-initial use speed with past-initial use speed if the occurrence probability P is a reference value (e.g., X) or more; and determining the current use behavior of the user to be a normal behavior if the current-initial use speed is within a normal range of the past-initial use speed. 5 . The abnormal behavior detection system of claim 4 , wherein calculating the occurrence probability P comprises: generating a specific comparison matrix in order to compare the current “service page use sequence” with the past “service page use sequence” and resetting a value of each of rows and columns of the comparison matrix; calculating the similarity between the current “service page use sequence” and all the past “service page use sequences”; and averaging all similarity result values obtained in calculating the similarity and calculating the occurrence probability P of the current-initial page sequence. 6 . An abnormal behavior method of detecting an abnormal use behavior of a user in bring your own device (BYOD) and smart work environments, the method comprising: generating a corresponding detection request message when context information about “termination or access termination” is received from a context information collection system and transferring the corresponding detection request message to an abnormal detection unit; detecting an abnormal use behavior by comparing sequence of a use page and use speed, performed right after user access, with a pattern in past access through an analysis of an initial use behavior pattern after the abnormal detection unit receives the detection request message; and generating normal or abnormal detection result information based on a result of the analysis of the continuous use behavior pattern and transferring the normal or abnormal detection result information to a control system. 7 . The abnormal behavior method of claim 6 , wherein detecting the abnormal use behavior comprises: checking a service page use amount N of a current access session, determining that an initial behavior for analyzing the abnormal behavior has been sufficiently performed if the service page use amount N is greater than a reference value and performing a specific initial use behavior pattern analysis procedure, and determining whether a current use behavior of the user is an abnormal behavior by performing a “service page use sequence similarity comparison” and a “user speed comparison” through an initial use behavior pattern analysis procedure.” 8 . The abnormal behavior method of claim 7 , wherein the initial use behavior pattern analysis procedure comprises: obtaining current-initial service page use sequence and calculating use speed; examining past-initial service page use sequence having an identical access pattern and calculating past average use speed; calculating an occurrence probability P of current-initial page sequence by calculating a similarity between the current “service page use sequence” and all the past “service page use sequences”; comparing current-initial use speed with past-initial use speed if the occurrence probability P is a reference value (e.g., X) or more; and determining the current use behavior of the user to be a normal behavior if the current-initial use speed is within a normal range of the past-initial use speed. 9 . The abnormal behavior method of claim 8 , wherein calculating the occurrence probability P comprises: generating a specific comparison matrix in order to compare the current “service page use sequence” with the past “service page use sequence” and resetting a value of each of rows and columns of the comparison matrix; calculating the similarity between the current “service page use sequence” and all the past “service page use sequences”; and averaging all similarity result values obtained in calculating the similarity and calculating the occurrence probability P of the current-initial page sequence.