Abstract: The internal user security behavior assessment method affects the accuracy of the user's operational behavior assessment due to less considers the contextual relevance of the user's operational behaviors. In view of this situation, and considering the characteristics of long-short term memory (LSTM) is suitable for dealing with time series problems, an internal user security behavior evaluation method based on LSTM is proposed. In this method, the data are vectorized firstly and then divided according to the N vs. 1 scheme. The LSTM algorithm is used to uniformly model the known user's behavior habits. Finally, the decision threshold is determined by the bimodal threshold mechanism and user behaviors are evaluated. Experimental results show that the data partitioning scheme of this method improves the ability to detect abnormal operation of unknown users, and by introducing a bimodal threshold mechanism, the accuracy and recall of the algorithm for detecting abnormal operations of unknown users are improved.