Insider　threat　has　always　been　an　important　hidden　danger　of　information　system　security,　and　the　detection　of　insider　threat　is　the　main　concern　of　information　system　organizers.　Before　the　anomaly　detection,　the　process　of　feature　extraction　often　causes　a　part　of　information　loss,　and　the　detection　of　insider　threats　in　a　single　time　point　often　causes　false　positives.　Therefore,　this　paper　proposes　a　user　behavior　analysis　model,　by　aggregating　user　behavior　in　a　period　of　time,　comprehensively　characterizing　user　attributes,　and　then　detecting　internal　attacks.　Firstly,　the　user　behavior　characteristics　are　extracted　from　the　multi-domain　features　extracted　from　the　audit　log,　and　then　the　XGBoost　algorithm　is　used　to　train.　The　experimental　results　on　a　user　behavior　dataset　show　that　the　XGBoost　algorithm　can　be　used　to　identify　the　insider　threats.　The　value　of　F-measure　is　up　to　99.96%　which　is　better　than　SVM　and　random　forest　algorithm.