Nowadays,　access　control　to　Web　pages　relay　mostly　on　identification　and　authentication.　After　successful　authentication,　however,　subsequent　access　may　not　necessarily　be　performed　by　the　same　user.　Aimed　at　separating　identity　authentication　and　behavior　authentication　in　open　network　environments,　this　paper　proposes　an　access　control　method　based　on　the　analysis　of　user　behavior　in　Web　browsing　as　an　additional　access　control　mechanism　to　traditional　identity　authentication.　The　paper　provides　the　definition　of　user　behavior,　uses　browsing　time　and　navigated　path　to　determine　the　normality　of　user　behavior　based　on　the　result　of　comparing　the　value　calculated　using　a　proposed　algorithm　with　a　threshold,　thus　modeling　user　behavior　in　both　temporal　and　spatial　dimensions.　The　proposed　method　relies　on　a　database　that　contains　the　frequency　of　previous　access　to　the　path　by　the　same　user.　Experiment　shows　that　the　proposed　method　can　detect　abnormal　behavior　while　adapting　to　continuous　changes　in　user　behavior　and　can　thus　be　used　to　prevent　the　theft　of　user　accounts　to　improve　network　security.　©　2017　IEEE.