Mathieu Garchery,Michael Granitzer

DOI: https://doi.org/10.48550/arXiv.2007.06985

IF: 5.414

2020-07-14

Machine Learning

Abstract:Previous works on the CERT insider threat detection case have neglected graph and text features despite their relevance to describe user behavior. Additionally, existing systems heavily rely on feature engineering and audit data aggregation to detect malicious activities. This is time consuming, requires expert knowledge and prevents tracing back alerts to precise user actions. To address these issues we introduce ADSAGE to detect anomalies in audit log events modeled as graph edges. Our general method is the first to perform anomaly detection at edge level while supporting both edge sequences and attributes, which can be numeric, categorical or even text. We describe how ADSAGE can be used for fine-grained, event level insider threat detection in different audit logs from the CERT use case. Remarking that there is no standard benchmark for the CERT problem, we use a previously proposed evaluation setting based on realistic recall-based metrics. We evaluate ADSAGE on authentication, email traffic and web browsing logs from the CERT insider threat datasets, as well as on real-world authentication events. ADSAGE is effective to detect anomalies in authentications, modeled as user to computer interactions, and in email communications. Simple baselines give surprisingly strong results as well. We also report performance split by malicious scenarios present in the CERT datasets: interestingly, several detectors are complementary and could be combined to improve detection. Overall, our results show that graph features are informative to characterize malicious insider activities, and that detection at fine-grained level is possible.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

You Chen,Steve Nyemba,Wen Zhang,Bradley Malin

DOI: https://doi.org/10.1186/2190-8532-1-5

2012-02-27

Abstract:Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks in complex distributed environments. For flexibility, they provide users with broad access privileges, which, as a side-effect, leave such systems vulnerable to various attacks. Some of the more damaging malicious activities stem from internal misuse, where users are authorized to access system resources. A promising class of insider threat detection models for CIS focuses on mining access patterns from audit logs, however, current models are limited in that they assume organizations have significant resources to generate label cases for training classifiers or assume the user has committed a large number of actions that deviate from "normal" behavior. In lieu of the previous assumptions, we introduce an approach that detects when specific actions of an insider deviate from expectation in the context of collaborative behavior. Specifically, in this paper, we introduce a specialized network anomaly detection model, or SNAD, to detect such events. This approach assesses the extent to which a user influences the similarity of the group of users that access a particular record in the CIS. From a theoretical perspective, we show that the proposed model is appropriate for detecting insider actions in dynamic collaborative systems. From an empirical perspective, we perform an extensive evaluation of SNAD with the access logs of two distinct environments: the patient record access logs a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,394,385 revisors, 55,200 articles and 6,482,780 revisions). We compare our model with several competing methods and demonstrate SNAD is significantly more effective: on average it achieves 20-30% greater area under an ROC curve.

Leiqi Wang,Jianguo Jiang,Xu Wang,Yan Wang,Qiujian Lv

DOI: https://doi.org/10.1109/ISCC58397.2023.10218139

2023-07-09

Abstract:Insider threats pose significant risks to the network systems of organizations. Users have diverse behavioral habits within an organization, leading to variations in their activity patterns. Hence, data analysis and mining techniques are essential for modeling user behavior. Current methods analyze system logs and extract user action sequence features; however, they overlook the relationships between different actions, reducing detection accuracy. To address this issue, we propose a novel method called UAG (User Action Graph). UAG transforms user actions into a graph representing their chronological order and interrelationships, facilitating a more accurate and comprehensive understanding of user behavior. By extracting global and local features from the user action graph, UAG offers an extensive and detailed perspective of user behaviors. Ultimately, we develop a lightweight ensemble autoencoder model to detect insider threats. Comprehensive experiments demonstrate that UAG delivers outstanding performance and surpasses existing methods.

Computer Science

Preetam Pal,Pratik Chattopadhyay,Mayank Swarnkar

DOI: https://doi.org/10.1016/j.eswa.2023.119925

IF: 8.5

2023-03-23

Expert Systems with Applications

Abstract:Nowadays, insider attacks are emerging as one of the top cybersecurity threats. However, the detection of insider threats is a more arduous task for many reasons. A significant cause is the availability of various data types related to insider activities and their possible behavioral drift. Another major reason is that threat activities rarely happen within any organizational environment and usually remain submerged within a massive amount of normal activities thereby creating data imbalance issues. Any insider threat event requires three major components to get materialized: proper motivation, suitable opportunity and a minimum skill set. The simultaneous occurrence of all these elements is rarely found in organizational environment compared to regular activity traits, and the data imbalance thus caused makes accurate detection of threat activities quite challenging. Existing insider threat detection techniques are mainly divided into statistical rule-based, machine learning-based, and deep learning-based methods. Although recent deep learning methods have been found to extract intrinsic behavioral properties from users' activity patterns more effectively than traditional rule-based and machine-learning methods by utilizing their multilayer architecture. But sporadic approaches prioritize critical sections of activity patterns in their detection scheme. Also, rare methods focused on taking advantage of multiple deep learning-based feature extraction models together in their detection scheme. Finally, rare methods have adequately focused on data imbalance issues, especially over the unequal proportion of different categories of threat instances. In this paper, we proposed an insider threat detection approach using an ensemble of stacked-LSTM and stacked-GRU-based attention models. Our models are first trained on the user's single-day sequential activity logs. Then a stacked ensemble of trained attention models is used to extract the user's single-day activity information in the form of the feature vector, which is finally used for classification. To address the data imbalance issues, we propose a new equally-weighted random sampling approach for balancing the population of the different categories of threat patterns. We randomly undersample the nonmalicious instances followed by random oversampling of the different categories of threat instances in an equally-weighted manner so that the training models can learn the behavioral characteristics of the different types of insider activity instances without getting biased towards any particular type, which is a major limitation of random oversampling and random undersampling-based techniques. Experiments have been performed on the different versions of the CMU CERT insider threat datasets. For robust evaluation, stratified division-based train-test sets have been used based on different categories of insider activities. An average AUC of 0.99 on CMU CERT v4.2 and v5.2 datasets and 0.97 on its v6.2 dataset shows the robustness of the proposed approach in detecting insider threats.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Pratik Chattopadhyay,Lipo Wang,Yap-Peng Tan

DOI: https://doi.org/10.1109/tcss.2018.2857473

2018-09-01

IEEE Transactions on Computational Social Systems

Abstract:An insider threat scenario refers to the outcome of a set of malicious activities caused by intentional or unintentional misuse of the organization’s systems, networks, data, and resources. Prevention of insider threat is difficult, since trusted partners of the organization are involved in it, who have authorized access to these confidential/sensitive resources. The state-of-the-art research on insider threat detection mostly focuses on developing unsupervised behavioral anomaly detection techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. As an improvement to the existing approaches, we propose a technique for insider threat detection from time-series classification of user activities. Initially, a set of single-day features is computed from the user activity logs. A time-series feature vector is next constructed from the statistics of each single-day feature over a period of time. The label of each time-series feature vector (whether malicious or nonmalicious) is extracted from the ground truth. To classify the imbalanced ground-truth insider threat data consisting of only a small number of malicious instances, we employ a cost-sensitive data adjustment technique that undersamples the nonmalicious class instances randomly. As a classifier, we employ a two-layered deep autoencoder neural network and compare its performance with other popularly used classifiers: random forest and multilayer perceptron. Encouraging results are obtained by evaluating our approach using the CMU Insider Threat Data, which is the only publicly available insider threat data set consisting of about 14-GB web-browsing logs, along with logon, device connection, file transfer, and e-mail log files. We observe that both deep autoencoder and random forest classifiers classify the data-adjusted time-series feature set with high precision, recall, and f-score. Although multilayer perceptron has a high recall, it suffers from a lower precision and f-score compared to the other two classifiers.

You Chen,Steve Nyemba,Wen Zhang,Bradley Malin

DOI: https://doi.org/10.1109/ISI.2011.5984061

Abstract:Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks. T hey are often deployed in complex dynamic systems that provide users with broad access privileges, but also leave the system vulnerable to various attacks. Techniques to detect threats originating from beyond the system are relatively mature, but methods to detect insider threats are still evolving. A promising class of insider threat detection models for CIS focus on the communities that manifest between users based on the usage of common subjects in the system. However, current methods detect only when a user's aggregate behavior is intruding, not when specific actions have deviated from expectation. In this paper, we introduce a method called specialized network anomaly detection (SNAD) to detect such events. SNAD assembles the community of users that access a particular subject and assesses if similarities of the community with and without a certain user are sufficiently different. We present a theoretical basis and perform an extensive empirical evaluation with the access logs of two distinct environments: those of a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,388,955 revisors, 55,200 articles and 6,482,780 revisions). We compare SNAD with several competing methods and demonstrate it is significantly more effective: on average it achieves 20-30% greater area under an ROC curve.

Chengyu Song,Linru Ma,Jianming Zheng,Jinzhi Liao,Hongyu Kuang,Lin Yang

2024-08-12

Abstract:Log-based insider threat detection (ITD) detects malicious user activities by auditing log entries. Recently, large language models (LLMs) with strong common sense knowledge have emerged in the domain of ITD. Nevertheless, diverse activity types and overlong log files pose a significant challenge for LLMs in directly discerning malicious ones within myriads of normal activities. Furthermore, the faithfulness hallucination issue from LLMs aggravates its application difficulty in ITD, as the generated conclusion may not align with user commands and activity context. In response to these challenges, we introduce Audit-LLM, a multi-agent log-based insider threat detection framework comprising three collaborative agents: (i) the Decomposer agent, breaking down the complex ITD task into manageable sub-tasks using Chain-of-Thought (COT) reasoning;(ii) the Tool Builder agent, creating reusable tools for sub-tasks to overcome context length limitations in LLMs; and (iii) the Executor agent, generating the final detection conclusion by invoking constructed tools. To enhance conclusion accuracy, we propose a pair-wise Evidence-based Multi-agent Debate (EMAD) mechanism, where two independent Executors iteratively refine their conclusions through reasoning exchange to reach a consensus. Comprehensive experiments conducted on three publicly available ITD datasets-CERT r4.2, CERT r5.2, and PicoDomain-demonstrate the superiority of our method over existing baselines and show that the proposed EMAD significantly improves the faithfulness of explanations generated by LLMs.

Cryptography and Security,Artificial Intelligence

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kexiong Fei,Jiang Zhou,Yucan Zhou,Xiaoyan Gu,Haihui Fan,Bo Li,Weiping Wang,Yong Chen

DOI: https://doi.org/10.1016/j.cose.2024.104126

IF: 5.105

2024-09-21

Computers & Security

Abstract:Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency. We propose LaAeb , a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including attention , emotion , and behavior anomaly . The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees' daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, LaAeb employs anomaly detection algorithm like Isolation Forest to analyze an employee's malicious operations, and further detects the employee's behavior anomaly by considering all employees' acts in the same department. Finally, LaAeb consolidates detection results of three patterns indicative of insider threats in a comprehensive manner. We implement the prototype of LaAeb and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, LaAeb reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC (0.93) , and gets the best AUC (0.97) with 0.06 higher value on LANL dataset.

computer science, information systems

Alex Kantchelian,Casper Neo,Ryan Stevens,Hyungwon Kim,Zhaohao Fu,Sadegh Momeni,Birkett Huber,Elie Bursztein,Yanis Pavlidis,Senaka Buthpitiya,Martin Cochran,Massimiliano Poletto

2024-12-10

Abstract:We present Facade (Fast and Accurate Contextual Anomaly DEtection): a high-precision deep-learning-based anomaly detection system deployed at Google (a large technology company) as the last line of defense against insider threats since 2018. Facade is an innovative unsupervised action-context system that detects suspicious actions by considering the context surrounding each action, including relevant facts about the user and other entities involved. It is built around a new multi-modal model that is trained on corporate document access, SQL query, and HTTP/RPC request logs. To overcome the scarcity of incident data, Facade harnesses a novel contrastive learning strategy that relies solely on benign data. Its use of history and implicit social network featurization efficiently handles the frequent out-of-distribution events that occur in a rapidly changing corporate environment, and sustains Facade's high precision performance for a full year after training. Beyond the core model, Facade contributes an innovative clustering approach based on user and action embeddings to improve detection robustness and achieve high precision, multi-scale detection. Functionally what sets Facade apart from existing anomaly detection systems is its high precision. It detects insider attackers with an extremely low false positive rate, lower than 0.01%. For single rogue actions, such as the illegitimate access to a sensitive document, the false positive rate is as low as 0.0003%. To the best of our knowledge, Facade is the only published insider risk anomaly detection system that helps secure such a large corporate environment.

Cryptography and Security

Krishna C. Roy,Guenevere Chen

DOI: https://doi.org/10.1109/tdsc.2024.3353929

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Insider threat is one of the most damaging cyber attacks that could cause the loss of intellectual property and enterprise data security breaches. Action sequence data such as host logs are used to investigate such threats and develop anomaly-based AI detectors. However, insider threat actions are similar to legitimate user activities, causing AI detectors to fail and suffer from high false alarm rates. Therefore, user cyber activity logs are inadequate to fully unfold insider threats. In this study, we adopt human psychological principles of risk-taking and impulsiveness along with host data to assess the influence and usefulness of human behavioral aspects in insider threat detection. We hypothesize that individuals' impulsive and risk-taking behavior correlates with cyberspace activities. To validate our hypothesis, we conducted an IRB-approved study recruiting 35 participants who work in a large U.S. university and collected their cyber and psychological data for 90 days. Host and human-behavioral data analysis and mapping indicate that impulsive and risk-taking users trigger more system errors causing (un)intentional insider threats and are susceptible to attackers' social engineering and cognitive hacking. Utilizing cyber-human aspects, we introduce a Cyber-Human Graph Neural Network (GNN) based framework GraphCH to identify abnormal user behaviors and detect insider threats.

computer science, information systems, software engineering, hardware & architecture

Anagi Gamachchi,Li Sun,Serdar Boztas

DOI: https://doi.org/10.48550/arXiv.1809.00141

2018-09-01

Cryptography and Security

Abstract:While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cybersecurity threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior.

Simon Bertrand,Nadia Tawbi,Josée Desharnais

DOI: https://doi.org/10.48550/arXiv.2211.14437

2022-11-23

Abstract:Insider threats are a growing concern for organizations due to the amount of damage that their members can inflict by combining their privileged access and domain knowledge. Nonetheless, the detection of such threats is challenging, precisely because of the ability of the authorized personnel to easily conduct malicious actions and because of the immense size and diversity of audit data produced by organizations in which the few malicious footprints are hidden. In this paper, we propose an unsupervised insider threat detection system based on audit data using Bayesian Gaussian Mixture Models. The proposed approach leverages a user-based model to optimize specific behaviors modelization and an automatic feature extraction system based on Word2Vec for ease of use in a real-life scenario. The solution distinguishes itself by not requiring data balancing nor to be trained only on normal instances, and by its little domain knowledge required to implement. Still, results indicate that the proposed method competes with state-of-the-art approaches, presenting a good recall of 88\%, accuracy and true negative rate of 93%, and a false positive rate of 6.9%. For our experiments, we used the benchmark dataset CERT version 4.2.

Cryptography and Security,Machine Learning

You Chen,Bradley Malin

DOI: https://doi.org/10.1145/1943513.1943524

Abstract:Collaborative information systems (CIS) are deployed within a diverse array of environments, ranging from the Internet to intelligence agencies to healthcare. It is increasingly the case that such systems are applied to manage sensitive information, making them targets for malicious insiders. While sophisticated security mechanisms have been developed to detect insider threats in various file systems, they are neither designed to model nor to monitor collaborative environments in which users function in dynamic teams with complex behavior. In this paper, we introduce a community-based anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on information recorded in the access logs of collaborative environments. CADS is based on the observation that typical users tend to form community structures, such that users with low a nity to such communities are indicative of anomalous and potentially illicit behavior. The model consists of two primary components: relational pattern extraction and anomaly detection. For relational pattern extraction, CADS infers community structures from CIS access logs, and subsequently derives communities, which serve as the CADS pattern core. CADS then uses a formal statistical model to measure the deviation of users from the inferred communities to predict which users are anomalies. To empirically evaluate the threat detection model, we perform an analysis with six months of access logs from a real electronic health record system in a large medical center, as well as a publicly-available dataset for replication purposes. The results illustrate that CADS can distinguish simulated anomalous users in the context of real user behavior with a high degree of certainty and with significant performance gains in comparison to several competing anomaly detection models.

M. Arthur Munson,Jason Kichen,Dustin Hillard,Ashley Fidler,Peiter Zatko

DOI: https://doi.org/10.48550/arXiv.1904.03584

2019-04-07

Abstract:We describe the motivation and design for esINSIDER, an automated tool that detects potential persistent and insider threats in a network. esINSIDER aggregates clues from log data, over extended time periods, and proposes a small number of cases for human experts to review. The proposed cases package together related information so the analyst can see a bigger picture of what is happening, and their evidence includes internal network activity resembling reconnaissance and data collection. The core ideas are to 1) detect fundamental campaign behaviors by following data movements over extended time periods, 2) link together behaviors associated with different meta-goals, and 3) use machine learning to understand what activities are expected and consistent for each individual network. We call this approach campaign analytics because it focuses on the threat actor's campaign goals and the intrinsic steps to achieve them. Linking different campaign behaviors (internal reconnaissance, collection, exfiltration) reduces false positives from business-as-usual activities and creates opportunities to detect threats before a large exfiltration occurs. Machine learning makes it practical to deploy this approach by reducing the amount of tuning needed.

Cryptography and Security,Machine Learning

Brian A. Powell

DOI: https://doi.org/10.48550/arXiv.1909.09047

2020-03-25

Abstract:Authenticated lateral movement via compromised accounts is a common adversarial maneuver that is challenging to discover with signature- or rules-based intrusion detection systems. In this work a behavior-based approach to detecting malicious logins to novel systems indicative of lateral movement is presented, in which a user's historical login activity is used to build a model of putative "normal" behavior. This historical login activity is represented as a collection of daily login graphs, which encode authentications among accessed systems. Each system, or graph vertex, is described by a set of graph centrality measures that characterize it and the local topology of its login graph. The unsupervised technique of non-negative matrix factorization is then applied to this set of features to assign each vertex to a role that summarizes how the system participates in logins. The reconstruction error quantifying how well each vertex fits into its role is then computed, and the statistics of this error can be used to identify outlier vertices that correspond to systems involved in unusual logins. We test this technique with a small cohort of privileged accounts using real login data from an operational enterprise network. The ability of the method to identify malicious logins among normal activity is tested with simulated graphs of login activity representative of adversarial lateral movement. We find that the method is generally successful at detecting a broad range of lateral movement for each user, with false positive rates significantly lower than those resulting from alerts based solely on login novelty.

Cryptography and Security,Machine Learning

Phavithra Manoharan,Jiao Yin,Hua Wang,Yanchun Zhang,Wenjie Ye

DOI: https://doi.org/10.1007/s11235-023-01085-3

2023-12-29

Telecommunication Systems

Abstract:Insider threats refer to abnormal actions taken by individuals with privileged access, compromising system data's confidentiality, integrity, and availability. They pose significant cybersecurity risks, leading to substantial losses for several organizations. Detecting insider threats is crucial due to the imbalance in their datasets. Moreover, the performance of existing works has been evaluated on various datasets and problem settings, making it challenging to compare the effectiveness of different algorithms and offer recommendations to decision-makers. Furthermore, no existing work investigates the impact of changing hyperparameters. This paper aims to objectively assess the performance of various supervised machine learning algorithms for detecting insider threats under the same setting. We precisely evaluate the performance of various supervised machine learning algorithms on a balanced dataset using the same feature extraction method. Additionally, we explore the impact of hyperparameter tuning on performance within the balanced dataset. Finally, we investigate the performance of different algorithms in the context of imbalanced datasets under various conditions. We conduct all the experiments in the publicly available CERT r4.2 dataset. The results show that supervised learning with a balanced dataset in RF obtains the best accuracy and F1-score of 95.9% compared with existing works, such as, DNN, LSTM Autoencoder and User Behavior Analysis.

telecommunications

Adarsh Kulkarni,Priya Mani,Carlotta Domeniconi

DOI: https://doi.org/10.48550/arXiv.1702.05809

2017-02-19

Social and Information Networks

Abstract:Insider trading is one of the numerous white collar crimes that can contribute to the instability of the economy. Traditionally, the detection of illegal insider trades has been a human-driven process. In this paper, we collect the insider tradings made available by the US Securities and Exchange Commissions (SEC) through the EDGAR system, with the aim of initiating an automated large-scale and data-driven approach to the problem of identifying illegal insider tradings. The goal of the study is the identification of interesting patterns, which can be indicators of potential anomalies. We use the collected data to construct networks that capture the relationship between trading behaviors of insiders. We explore different ways of building networks from insider trading data, and argue for a need of a structure that is capable of capturing higher order relationships among traders. Our results suggest the discovery of interesting patterns.

Jiehui Zhou,Xumeng Wang,Jie Wang,Hui Ye,Huanliang Wang,Zihan Zhou,Dongming Han,Haochao Ying,Jian Wu,Wei Chen

DOI: https://doi.org/10.1109/TVCG.2023.3261910

2023-03-24

Abstract:Collusive fraud, in which multiple fraudsters collude to defraud health insurance funds, threatens the operation of the healthcare system. However, existing statistical and machine learning-based methods have limited ability to detect fraud in the scenario of health insurance due to the high similarity of fraudulent behaviors to normal medical visits and the lack of labeled data. To ensure the accuracy of the detection results, expert knowledge needs to be integrated with the fraud detection process. By working closely with health insurance audit experts, we propose FraudAuditor, a three-stage visual analytics approach to collusive fraud detection in health insurance. Specifically, we first allow users to interactively construct a co-visit network to holistically model the visit relationships of different patients. Second, an improved community detection algorithm that considers the strength of fraud likelihood is designed to detect suspicious fraudulent groups. Finally, through our visual interface, users can compare, investigate, and verify suspicious patient behavior with tailored visualizations that support different time scales. We conducted case studies in a real-world healthcare scenario, i.e., to help locate the actual fraud group and exclude the false positive group. The results and expert feedback proved the effectiveness and usability of the approach.

Human-Computer Interaction