In view of the increasingly serious internal threat behaviors in enterprise information system, especially the behaviors such as pseudonym login and unauthorized operation, based on the technology of user behavior analysis, a layered security model with a mixture of subject and object is adopted to establish a new internal threat detection framework of information system. Malicious insider threat behavior is found by comparing the abnormal behavior of users and the authority of subject and object. Regular expression and mixed encryption algorithm are used to ensure the accuracy of detection and log security. Security detection is carried out from four aspects: identity authentication, access control, operation audit, and behavior threshold technology. The key technologies are introduced in detail. Experiments show that the proposed detection framework can prevent internal personnel from stealing data, provide response and intervention capabilities, and improve the security of information systems. Finally, the development trend of internal threat detection technology is prospected.