Wei Jiang,Yuan Tian,Weixin Liu,Wenmao Liu

DOI: https://doi.org/10.1007/978-3-030-00828-4_43

2018-01-01

Abstract:Insider threat has always been an important hidden danger of information system security, and the detection of insider threat is the main concern of information system organizers. Before the anomaly detection, the process of feature extraction often causes a part of information loss, and the detection of insider threats in a single time point often causes false positives. Therefore, this paper proposes a user behavior analysis model, by aggregating user behavior in a period of time, comprehensively characterizing user attributes, and then detecting internal attacks. Firstly, the user behavior characteristics are extracted from the multi-domain features extracted from the audit log, and then the XGBoost algorithm is used to train. The experimental results on a user behavior dataset show that the XGBoost algorithm can be used to identify the insider threats. The value of F-measure is up to 99.96% which is better than SVM and random forest algorithm.

Junhong Kim,Minsik Park,Haedong Kim,Suhyoun Cho,Pilsung Kang,Kim,Park,Kim,Cho,Kang

DOI: https://doi.org/10.3390/app9194018

2019-09-25

Applied Sciences

Abstract:Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Linghui Li,Yali Gao,Xiaoyong Li,Shui Yu,Jie Yuan,Ximing Li,Jia Jia

DOI: https://doi.org/10.1109/TIFS.2023.3245413

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Insider threat is destructive and concealable, making addressing it a challenging task in cybersecurity. Most existing methods transform user behavior into sequential information and analyze user behavior while neglecting structural information among users, resulting in high false positives. To solve this problem, in this paper, we propose Dual-Domain Graph Convolutional Network (referred to as DD-GCN), a graph-based modularized method for high accuracy and adaptive insider threat detection. The central idea is to convert user features and structural information into heterogeneous graphs in the light of various relationships and take user behavior and relationship into account together. To this end, a weighted feature similarity mechanism is applied to balance the feature similarity of users and original linkages among them so as to generate the fused structure. Next, specific graph embeddings are extracted from the original topology structure and fused structure simultaneously, which convert behavior information into high-level representations. Furthermore, an attention mechanism is applied to learn the adaptive importance weights of the user’s features in the corresponding embedding. The combination and difference constraints are proposed to enhance the learned embeddings’ commonality and the ability to capture different information. Extensive experiments on two real-world datasets clearly show that our proposed DD-GCN extracts the most correlated information from structural topology and feature information substantially, and achieves improved accuracy with a clear margin.

Computer Science

Qiujian Lv,Yan Wang,Leiqi Wang,Dan Wang

DOI: https://doi.org/10.1109/ICNIDC.2018.8525804

2018-01-01

Abstract:Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Existing methods have distinguished the minority of users who show suspicious behavior from the majority of users. However, these methods failed to apply the features reflecting the deviation between the behaviors of users and those of their user groups within the similar job roles. This paper focuses on insider threat detection by conducting both user and role behaviors analysis. It extracts multiple features that represent the details of activities conducted by each user and their deviations from the behaviors of their user groups. The malicious users are then detected by using an unsupervised algorithm, Isolation Forest Algorithm, which evaluates the variance that each user exhibits across multiple attributes, compared against the other users. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the data lasting 17 months. We compare the proposed method with an existing state-of-the-art method and the results demonstrate the robust performance of the proposed detection method.

Junkai Yi,Yongbo Tian

DOI: https://doi.org/10.3390/electronics13050973

IF: 2.9

2024-03-04

Electronics

Abstract:Insider threats are one of the most costly and difficult types of attacks to detect due to the fact that insiders have the right to access an organization's network systems and understand its structure and security procedures, making it difficult to detect this type of behavior through traditional behavioral auditing. This paper proposes a method to leverage unsupervised outlier scores to enhance supervised insider threat detection by integrating the advantages of supervised and unsupervised learning methods and using multiple unsupervised outlier mining algorithms to extract from the underlying data useful representations, thereby enhancing the predictive power of supervised classifiers on the enhanced feature space. This novel approach provides superior performance, and our method provides better predictive power compared to other excellent abnormal detection methods. Using only 20% of the computing budget, our method achieved an accuracy of 86.12%. Compared with other anomaly detection methods, the accuracy increased by up to 12.5% under the same computing budget.

engineering, electrical & electronic,computer science, information systems,physics, applied

Rui Zhang,Xiaojun Chen,Jinqiao Shi,Fei Xu,Yiguo Pu

DOI: https://doi.org/10.1007/978-3-319-11119-3_35

2014-01-01

Abstract:In recent years, the major source of information leakage is due to insiders. In order to detect information leakage by some internal insiders, anomaly detection using individual and community behavior models have been developed. The basic assumption of anomaly detection is each user has his/her own profile of activities and anomaly detection algorithm attempts to identify any deviation from the basic profile by each user. Both models neglected the possibility of change of individual user profile, e.g. change of individual interests. We propose here an anomaly detection model of insider threat using file content. The proposed model uses the document segmentation and Naive Bayes algorithm to classify the contents of files in an organization. We then set up the correlation matrices between users and their interests, and also the user community and their interests. We then propose a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individual users' current behaviors, their historical behaviors and their associated community behaviors simultaneously. According to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.

Weiyu He,Xu Wu,Jingchen Wu,Xiaqing Xie,Lirong Qiu,Lijuan Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00089

2021-10-01

Abstract:Insider threat makes enterprises or organizations suffer from the loss of property and the negative influence of reputation. User behavior analysis is the mainstream method of insider threat detection, but due to the lack of fine-grained detection and the inability to effectively capture the behavior patterns of individual users, the accuracy and precision of detection are insufficient. To solve this problem, this paper designs an insider threat detection method based on user historical behavior and attention mechanism, including using Long Short Term Memory (LSTM) to extract user behavior sequence information, using Attention-based on user history behavior (ABUHB) learns the differences between different user behaviors, uses Bidirectional-LSTM (Bi-LSTM) to learn the evolution of different user behavior patterns, and finally realizes fine-grained user abnormal behavior detection. To evaluate the effectiveness of this method, experiments are conducted on the CMU-CERT Insider Threat Dataset. The experimental results show that the effectiveness of this method is 3.1% to 6.3% higher than that of other comparative model methods, and it can detect insider threats in different user behaviors with fine granularity.

Guang Yang,Lijun Cai,Yuaimin,Jiangang Ma,Dan Meng,Yu Wu

DOI: https://doi.org/10.1109/bigdataservice.2018.00011

2018-01-01

Abstract:The insider threat continues to be a paramount cyber security challenge that threatens individuals, financial enterprises and governmental organizations. To deter insider threats, traditional detection, which mainly focuses on policy checks and anomaly detection for users' computers and network activities, has been studied widely. However, because insiders have intrinsic authorized access at attack under normal behavior profiles, it is necessary to integrate the attackers' psychological characteristics. This work proposes a novel detection approach for potential malicious insiders based on a comprehensive security psychological model derived from Big-5 and Dark Triad personality traits, overcoming the biased choice and equality hypothesis problems in previous work. Moreover, the threat confidence degree is proposed to identify pseudo abnormal users and to markedly reduce the false positive rate. The experimental results illustrate the effectiveness and feasibility of the proposed approach, which has a very low false negative rate, and lay the foundation for a promising insider threat detection approach that integrates the attackers' psychological traits with the attack-chain characteristics.

Pratik Chattopadhyay,Lipo Wang,Yap-Peng Tan

DOI: https://doi.org/10.1109/tcss.2018.2857473

2018-09-01

IEEE Transactions on Computational Social Systems

Abstract:An insider threat scenario refers to the outcome of a set of malicious activities caused by intentional or unintentional misuse of the organization’s systems, networks, data, and resources. Prevention of insider threat is difficult, since trusted partners of the organization are involved in it, who have authorized access to these confidential/sensitive resources. The state-of-the-art research on insider threat detection mostly focuses on developing unsupervised behavioral anomaly detection techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. As an improvement to the existing approaches, we propose a technique for insider threat detection from time-series classification of user activities. Initially, a set of single-day features is computed from the user activity logs. A time-series feature vector is next constructed from the statistics of each single-day feature over a period of time. The label of each time-series feature vector (whether malicious or nonmalicious) is extracted from the ground truth. To classify the imbalanced ground-truth insider threat data consisting of only a small number of malicious instances, we employ a cost-sensitive data adjustment technique that undersamples the nonmalicious class instances randomly. As a classifier, we employ a two-layered deep autoencoder neural network and compare its performance with other popularly used classifiers: random forest and multilayer perceptron. Encouraging results are obtained by evaluating our approach using the CMU Insider Threat Data, which is the only publicly available insider threat data set consisting of about 14-GB web-browsing logs, along with logon, device connection, file transfer, and e-mail log files. We observe that both deep autoencoder and random forest classifiers classify the data-adjusted time-series feature set with high precision, recall, and f-score. Although multilayer perceptron has a high recall, it suffers from a lower precision and f-score compared to the other two classifiers.

Xuebin Wang,Qingfeng Tan,Jinqiao Shi,Shen Su,Meiqi Wang

DOI: https://doi.org/10.1109/dsc.2018.00077

2018-01-01

Abstract:With the rapid development of information technology, office automation is continuously improving. The data leakage problem resulting from insider threats is getting worse, legitimate users may abuse privileges or masquerade as other users, which may result in the loss of data. In this paper, a new data-centric approach is proposed to detect insider threat, which based on characterizing user behavior by extracting the features of user interaction behavior including keystroke dynamics and consecutive queries to model users' access patterns. Statistical learning algorithms are trained and tested from opening dataset to predict abnormal behavior patterns; experimental results indicate that the approach is very effective and accurate.

Hoda Eldardiry,Evgeniy Bart,Juan Liu,John Hanley,Bob Price,Oliver Brdiczka

DOI: https://doi.org/10.1109/SPW.2013.14

2013-01-01

Abstract:Malicious insiders pose significant threats to information security, and yet the capability of detecting malicious insiders is very limited. Insider threat detection is known to be a difficult problem, presenting many research challenges. In this paper we report our effort on detecting malicious insiders from large amounts of work practice data. We propose novel approaches to detect two types of insider activities: (1) blend-in anomalies, where malicious insiders try to behave similar to a group they do not belong to, and (2) unusual change anomalies, where malicious insiders exhibit changes in their behavior that are dissimilar to their peers' behavioral changes. Our first contribution focuses on detecting blend-in malicious insiders. We propose a novel approach by examining various activity domains, and detecting behavioral inconsistencies across these domains. Our second contribution is a method for detecting insiders with unusual changes in behavior. The key strength of this proposed approach is that it avoids flagging common changes that can be mistakenly detected by typical temporal anomaly detection mechanisms. Our third contribution is a method that combines anomaly indicators from multiple sources of information.

Phavithra Manoharan,Jiao Yin,Hua Wang,Yanchun Zhang,Wenjie Ye

DOI: https://doi.org/10.1007/s11235-023-01085-3

2023-12-29

Telecommunication Systems

Abstract:Insider threats refer to abnormal actions taken by individuals with privileged access, compromising system data's confidentiality, integrity, and availability. They pose significant cybersecurity risks, leading to substantial losses for several organizations. Detecting insider threats is crucial due to the imbalance in their datasets. Moreover, the performance of existing works has been evaluated on various datasets and problem settings, making it challenging to compare the effectiveness of different algorithms and offer recommendations to decision-makers. Furthermore, no existing work investigates the impact of changing hyperparameters. This paper aims to objectively assess the performance of various supervised machine learning algorithms for detecting insider threats under the same setting. We precisely evaluate the performance of various supervised machine learning algorithms on a balanced dataset using the same feature extraction method. Additionally, we explore the impact of hyperparameter tuning on performance within the balanced dataset. Finally, we investigate the performance of different algorithms in the context of imbalanced datasets under various conditions. We conduct all the experiments in the publicly available CERT r4.2 dataset. The results show that supervised learning with a balanced dataset in RF obtains the best accuracy and F1-score of 95.9% compared with existing works, such as, DNN, LSTM Autoencoder and User Behavior Analysis.

telecommunications

Lingli Lin,Shangping Zhong,Cunmin Jia,Kaizhi Chen

DOI: https://doi.org/10.1109/icgi.2017.37

2017-01-01

Abstract:Insider threat is a significant security risk for information system, and detection of insider threat is a major concern for information system organizers. Recently existing work mainly focused on the single pattern analysis of user single-domain behavior, which were not suitable for user behavior pattern analysis in multi-domain scenarios. However, the fusion of multidomain irrelevant features may hide the existence of anomalies. Previous feature learning methods have relatively a large proportion of information loss in feature extraction. Therefore, this paper proposes a hybrid model based on the deep belief network (DBN) to detect insider threat. First, an unsupervised DBN is used to extract hidden features from the multi-domain feature extracted by the audit logs. Secondly, a One-Class SVM (OCSVM) is trained from the features learned by the DBN. The experimental results on the CERT dataset demonstrate that the DBN can be used to identify the insider threat events and it provides a new idea to feature processing for the insider threat detection.

Zhihong Tian,Wei Shi,Zhiyuan Tan,Jing Qiu,Yanbin Sun,Feng Jiang,Yan Liu

DOI: https://doi.org/10.1007/s11036-020-01656-7

2020-10-09

Mobile Networks and Applications

Abstract:Organizations' own personnel now have a greater ability than ever before to misuse their access to critical organizational assets. Insider threat detection is a key component in identifying rare anomalies in context, which is a growing concern for many organizations. Existing perimeter security mechanisms are proving to be ineffective against insider threats. As a prospective filter for the human analysts, a new deep learning based insider threat detection method that uses the Dempster-Shafer theory is proposed to handle both accidental as well as intentional insider threats via organization's channels of communication in real time. The long short-term memory (LSTM) architecture together with multi-head attention mechanism is applied in this work to detect anomalous network behavior patterns. Furthermore, belief is updated with Dempster's conditional rule and utilized to fuse evidence to achieve enhanced prediction. The CERT Insider Threat Dataset v6.2 is used to train the behavior model. Through performance evaluation, our proposed method is proven to be effective as an insider threat detection technique.

computer science, information systems,telecommunications, hardware & architecture

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Dongxue Zhang,Yang Zheng,Yu Wen,Yujue Xu,Jingchuo Wang,Yang Yu,Dan Meng

DOI: https://doi.org/10.1145/3267494.3267495

2018-01-01

Abstract:Insider threats have shown their great destructive power in information security and financial stability and have received widespread attention from governments and organizations. Traditional intrusion detection systems fail to be effective in insider attacks due to the lack of extensive knowledge for insider behavior patterns. Instead, a more sophisticated method is required to have a deeper understanding for activities that insiders communicate with the information system. In this paper, we design a classifier, a neural network model utilizing Long Short Term Memory (LSTM) to model user log as a natural language sequence and achieve role-based classification. LSTM Model can learn behavior patterns of different users by automatically extracting feature and detect anomalies when log patterns deviate from the trained model. To illustrate the effective of classification model, we design two experiments based on cmu dataset. Experimental evaluations have shown that our model can successfully distinguish different behavior pattern and detect malicious behavior.

Anagi Gamachchi,Li Sun,Serdar Boztas

DOI: https://doi.org/10.48550/arXiv.1809.00141

2018-09-01

Cryptography and Security

Abstract:While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cybersecurity threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior.

Yu Cao,Yilu Chen,Ye Wang,Ning Hu,Zhaoquan Gu,Yan Jia

DOI: https://doi.org/10.1007/978-981-97-7244-5_2

2024-01-01

Abstract:Malicious insider attacks are among the most destructive threats to enterprises. Solving the insider threat problem involves several challenges, including data imbalance and detection of anomalous behavior. This paper presents TS-AUBD, a two-stage method for abnormal user behavior detection. TS-AUBD consists of coarse-grained and fine-grained user-level models. TS-AUBD can not only effectively detect abnormal behaviors and users but also analyze the situation of abnormal behaviors presented in each abnormal user. Experiments were conducted on a publicly available standard dataset CERT R4.2. Results show that TS-AUBD shows better performance compared with the baseline model, with an accuracy of up to 99.9% for behavior detection and 99. 8% for user detection.

Guang Yang,Lijun Cai,Aimin Yu,Dan Meng

DOI: https://doi.org/10.1109/trustcom/bigdatase.2018.00110

2018-01-01

Abstract:The insider threat continues to be a paramount cyber security challenge that threatens individuals, financial enterprises and governmental organizations. To deter insider threats, the scenario-driven detection approach has been a hot topic. However, the technological limitations in practice severely constrain the scenario-driven detection effect in reality. Therefore we propose a new general and expandable insider threat detection system that divides the detection into two functional modules: the baseline anomaly detection module, which are competent with multiple attack-scenario detections based on multi-domain behavioral mode features with adaptive characteristics, and the scenario-driven alarm filter module based on time-based anomaly frequency degree(TAFD) and attack beginning analysis. The multi-domain behavioral mode features enable us to effectively identify the user's abnormal behavior in general feature extraction and classification organization without a specific scenario analysis, whereas the exemplary scenario-driven alarm filter based on the time-based anomaly frequency degree is used to distinguish benign anomaly and attack anomaly according to the frequency characteristics from the scenario analysis, besides a specific alarm filter based on attack beginning analysis. The experimental results illustrate the effectiveness and feasibility of the proposed general and expandable insider threat detection system, by showing satisfactory true positive rate(TPR) and low false positive rate(FPR) with reasonable hit and tradeoff rate for multiple attack scenarios. This work lays the foundation for a promising insider threat detection architecture that integrates multiple scenario-driven detections into a normative, flexible and effective modular system.

Singh, Malvika,Mehtre, B. M.,Sangeetha, S.,Govindaraju, Venu

DOI: https://doi.org/10.1007/s12652-023-04581-1

IF: 3.662

2023-03-06

Journal of Ambient Intelligence and Humanized Computing

Abstract:Insider threats constitute a major cause of security breaches in organizations. They are the employees/users of an organization, causing harm by performing any malicious activity. Most of the existing methods to detect insider threats are based on machine and deep learning and have the following limitations: they use predefined rules or stored signatures and fail to detect new or unknown threats; they require explicit feature engineering, which results in more false positives; they require a large amount of training data, and are computationally expensive. In this paper, an improved user behavior-based insider threat detection method is proposed using a hybrid learning approach that overcomes the above limitations. It uses bi-directional long-short-term memory for feature extraction, a feed-forward artificial neural network (using distance measurements) for feature selection, and a support vector machine for classification-normal user or malicious user. The genetic algorithm's fast global search strategy is used for the support vector machine's initial kernel selection. Finally, alerts are generated for each user based on their combined anomaly score. The proposed method is tested using the CMU-CERT r4.2 insider threat dataset, and its performance is evaluated using the following parameters: accuracy, precision, recall, f-measure, and area under curve-receiver operating characteristic curve. The results show a significant improvement over the existing methods.

computer science, information systems,telecommunications, artificial intelligence