Liu,Chao Chen,Jun Zhang,Olivier De Vel,Yang Xiang

DOI: https://doi.org/10.1109/access.2019.2957055

IF: 3.9

2019-01-01

IEEE Access

Abstract:Insider threat detection has drawn increasing attention in recent years. In order to capture a malicious insider’s digital footprints that occur scatteredly across a wide range of audit data sources over a long period of time, existing approaches often leverage a scoring mechanism to orchestrate alerts generated from multiple sub-detectors, or require domain knowledge-based feature engineering to conduct a one-off analysis across multiple types of data. These approaches result in a high deployment complexity and incur additional costs for engaging security experts. In this paper, we present a novel approach that works with a variety of security logs. The security logs are transformed into texts in the same format and then arranged as a corpus. Using the model trained by Word2vec with the corpus, we are enabled to approximate the posterior probabilities for insider behaviours. Accordingly, we label the transformed events as suspicious if their behavioural probabilities are smaller than a given threshold, and a user is labelled as malicious if he/she is associated with multiple suspicious events. The experiments are undertaken with the Carnegie Mellon University (CMU) CERT Programs insider threat database v6.2, which not only demonstrate that the proposed approach is effective and scalable in practical applications but also provide a guidance for tuning the parameters and thresholds.

Qiujian Lv,Yan Wang,Leiqi Wang,Dan Wang

DOI: https://doi.org/10.1109/ICNIDC.2018.8525804

2018-01-01

Abstract:Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Existing methods have distinguished the minority of users who show suspicious behavior from the majority of users. However, these methods failed to apply the features reflecting the deviation between the behaviors of users and those of their user groups within the similar job roles. This paper focuses on insider threat detection by conducting both user and role behaviors analysis. It extracts multiple features that represent the details of activities conducted by each user and their deviations from the behaviors of their user groups. The malicious users are then detected by using an unsupervised algorithm, Isolation Forest Algorithm, which evaluates the variance that each user exhibits across multiple attributes, compared against the other users. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the data lasting 17 months. We compare the proposed method with an existing state-of-the-art method and the results demonstrate the robust performance of the proposed detection method.

Dongxue Zhang,Yang Zheng,Yu Wen,Yujue Xu,Jingchuo Wang,Yang Yu,Dan Meng

DOI: https://doi.org/10.1145/3267494.3267495

2018-01-01

Abstract:Insider threats have shown their great destructive power in information security and financial stability and have received widespread attention from governments and organizations. Traditional intrusion detection systems fail to be effective in insider attacks due to the lack of extensive knowledge for insider behavior patterns. Instead, a more sophisticated method is required to have a deeper understanding for activities that insiders communicate with the information system. In this paper, we design a classifier, a neural network model utilizing Long Short Term Memory (LSTM) to model user log as a natural language sequence and achieve role-based classification. LSTM Model can learn behavior patterns of different users by automatically extracting feature and detect anomalies when log patterns deviate from the trained model. To illustrate the effective of classification model, we design two experiments based on cmu dataset. Experimental evaluations have shown that our model can successfully distinguish different behavior pattern and detect malicious behavior.

Xihe Jiang,Dan Meng,Fucheng Liu,Dongxue Zhang,Yu Wen,Xinyu Xing

DOI: https://doi.org/10.1145/3319535.3363224

2019-11-06

Abstract:Conventional attacks of insider employees and emerging APT are both major threats for the organizational information system. Existing detections mainly concentrate on users' behavior and usually analyze logs recording their operations in an information system. In general, most of these methods consider sequential relationship among log entries and model users' sequential behavior. However, they ignore other relationships, inevitably leading to an unsatisfactory performance on various attack scenarios. We propose log2vec, a heterogeneous graph embedding based modularized method. First, it involves a heuristic approach that converts log entries into a heterogeneous graph in the light of diverse relationships among them. Next, it utilizes an improved graph embedding appropriate to the above heterogeneous graph, which can automatically represent each log entry into a low-dimension vector. The third component of log2vec is a practical detection algorithm capable of separating malicious and benign log entries into different clusters and identifying malicious ones. We implement a prototype of log2vec. Our evaluation demonstrates that log2vec remarkably outperforms state-of-the-art approaches, such as deep learning and hidden markov model (HMM). Besides, log2vec shows its capability to detect malicious events in various attack scenarios.

Computer Science

Liu Liu,Chao Chen,Jun Zhang,Olivier Y. de Vel,Yang Xiang

DOI: https://doi.org/10.1007/978-3-030-36938-5_2

2019-01-01

Abstract:The insider threat is a significant security concern for both organizations and government sectors. Traditional machine learning-based insider threat detection approaches usually rely on domain focused feature engineering, which is expensive and impractical. In this paper, we propose an autoencoder-based approach aiming to automatically learn the discriminative features of the insider behaviours, thus alleviating security experts from tedious inspection tasks. Specifically, a Word2vec model is trained with a corpus transformed from various security logs to generate event representations. Instead of manually selecting Word2vec model parameters, we develop an autoencoder-based “parameter tuner” for the model to produce an optimal feature set. Then, the detection is undertaken by examining the reconstruction error of an autoencoder for each transformed event using the Carnegie Mellon University (CMU) CERT Programs insider threat database. Experimental results demonstrate that our proposed approach could achieve an extremely low false-positive rate (FPR) with all malicious events identified.

Wei Jiang,Yuan Tian,Weixin Liu,Wenmao Liu

DOI: https://doi.org/10.1007/978-3-030-00828-4_43

2018-01-01

Abstract:Insider threat has always been an important hidden danger of information system security, and the detection of insider threat is the main concern of information system organizers. Before the anomaly detection, the process of feature extraction often causes a part of information loss, and the detection of insider threats in a single time point often causes false positives. Therefore, this paper proposes a user behavior analysis model, by aggregating user behavior in a period of time, comprehensively characterizing user attributes, and then detecting internal attacks. Firstly, the user behavior characteristics are extracted from the multi-domain features extracted from the audit log, and then the XGBoost algorithm is used to train. The experimental results on a user behavior dataset show that the XGBoost algorithm can be used to identify the insider threats. The value of F-measure is up to 99.96% which is better than SVM and random forest algorithm.

Rui Zhang,Xiaojun Chen,Jinqiao Shi,Fei Xu,Yiguo Pu

DOI: https://doi.org/10.1007/978-3-319-11119-3_35

2014-01-01

Abstract:In recent years, the major source of information leakage is due to insiders. In order to detect information leakage by some internal insiders, anomaly detection using individual and community behavior models have been developed. The basic assumption of anomaly detection is each user has his/her own profile of activities and anomaly detection algorithm attempts to identify any deviation from the basic profile by each user. Both models neglected the possibility of change of individual user profile, e.g. change of individual interests. We propose here an anomaly detection model of insider threat using file content. The proposed model uses the document segmentation and Naive Bayes algorithm to classify the contents of files in an organization. We then set up the correlation matrices between users and their interests, and also the user community and their interests. We then propose a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individual users' current behaviors, their historical behaviors and their associated community behaviors simultaneously. According to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.

Singh, Malvika,Mehtre, B. M.,Sangeetha, S.,Govindaraju, Venu

DOI: https://doi.org/10.1007/s12652-023-04581-1

IF: 3.662

2023-03-06

Journal of Ambient Intelligence and Humanized Computing

Abstract:Insider threats constitute a major cause of security breaches in organizations. They are the employees/users of an organization, causing harm by performing any malicious activity. Most of the existing methods to detect insider threats are based on machine and deep learning and have the following limitations: they use predefined rules or stored signatures and fail to detect new or unknown threats; they require explicit feature engineering, which results in more false positives; they require a large amount of training data, and are computationally expensive. In this paper, an improved user behavior-based insider threat detection method is proposed using a hybrid learning approach that overcomes the above limitations. It uses bi-directional long-short-term memory for feature extraction, a feed-forward artificial neural network (using distance measurements) for feature selection, and a support vector machine for classification-normal user or malicious user. The genetic algorithm's fast global search strategy is used for the support vector machine's initial kernel selection. Finally, alerts are generated for each user based on their combined anomaly score. The proposed method is tested using the CMU-CERT r4.2 insider threat dataset, and its performance is evaluated using the following parameters: accuracy, precision, recall, f-measure, and area under curve-receiver operating characteristic curve. The results show a significant improvement over the existing methods.

computer science, information systems,telecommunications, artificial intelligence

Bin Lv,Dan Wang,Yan Wang,Qiujian Lv,Dan Lu

DOI: https://doi.org/10.1007/978-3-319-94268-1_28

2018-01-01

Abstract:Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many people. A number of techniques have been proposed to detect insider threats by comparing behaviors among different individuals or by comparing the behaviors across different time periods of the same individual. However, both of them always fail to identify the certain kinds of inside threats due to the fact that the behaviors of insider threats are complex and diverse. To deal with this issue, this paper focuses on constructing a hybrid model to detect insider threats based on multi-dimensional features. First, an Across-Domain Anomaly Detection (ADAD) model is proposed to identify anomalous behaviors that deviate from the behaviors of their peers based on the isolation Forest algorithm. Second, an Across-Time Anomaly Detection (ATAD) model is proposed to measure the degree of unusual changes of a user's behavior based on an improved Markov model. What's more, we propose a hybrid model to integrate the evidence from the above two models ADAD and ATAD. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the 17-month data. The experimental results show that the ADAD and ATAD models are robust and the hybrid model can outperform the two separated models obviously.

Chunrui Zhang,Shen Wang,Dechen Zhan,Tingyue Yu,Tiangang Wang,Mingyong Yin

DOI: https://doi.org/10.1155/2021/4148441

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Recent studies have highlighted that insider threats are more destructive than external network threats. Despite many research studies on this, the spatial heterogeneity and sample imbalance of input features still limit the effectiveness of existing machine learning-based detection methods. To solve this problem, we proposed a supervised insider threat detection method based on ensemble learning and self-supervised learning. Moreover, we propose an entity representation method based on TF-IDF to improve the detection effect. Experimental results show that the proposed method can effectively detect malicious sessions in CERT4.2 and CERT6.2 datasets, where the AUCs are 99.2% and 95.3% in the best case.

Kexiong Fei,Jiang Zhou,Yucan Zhou,Xiaoyan Gu,Haihui Fan,Bo Li,Weiping Wang,Yong Chen

DOI: https://doi.org/10.1016/j.cose.2024.104126

IF: 5.105

2024-09-21

Computers & Security

Abstract:Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency. We propose LaAeb , a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including attention , emotion , and behavior anomaly . The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees' daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, LaAeb employs anomaly detection algorithm like Isolation Forest to analyze an employee's malicious operations, and further detects the employee's behavior anomaly by considering all employees' acts in the same department. Finally, LaAeb consolidates detection results of three patterns indicative of insider threats in a comprehensive manner. We implement the prototype of LaAeb and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, LaAeb reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC (0.93) , and gets the best AUC (0.97) with 0.06 higher value on LANL dataset.

computer science, information systems

Pratik Chattopadhyay,Lipo Wang,Yap-Peng Tan

DOI: https://doi.org/10.1109/tcss.2018.2857473

2018-09-01

IEEE Transactions on Computational Social Systems

Abstract:An insider threat scenario refers to the outcome of a set of malicious activities caused by intentional or unintentional misuse of the organization’s systems, networks, data, and resources. Prevention of insider threat is difficult, since trusted partners of the organization are involved in it, who have authorized access to these confidential/sensitive resources. The state-of-the-art research on insider threat detection mostly focuses on developing unsupervised behavioral anomaly detection techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. As an improvement to the existing approaches, we propose a technique for insider threat detection from time-series classification of user activities. Initially, a set of single-day features is computed from the user activity logs. A time-series feature vector is next constructed from the statistics of each single-day feature over a period of time. The label of each time-series feature vector (whether malicious or nonmalicious) is extracted from the ground truth. To classify the imbalanced ground-truth insider threat data consisting of only a small number of malicious instances, we employ a cost-sensitive data adjustment technique that undersamples the nonmalicious class instances randomly. As a classifier, we employ a two-layered deep autoencoder neural network and compare its performance with other popularly used classifiers: random forest and multilayer perceptron. Encouraging results are obtained by evaluating our approach using the CMU Insider Threat Data, which is the only publicly available insider threat data set consisting of about 14-GB web-browsing logs, along with logon, device connection, file transfer, and e-mail log files. We observe that both deep autoencoder and random forest classifiers classify the data-adjusted time-series feature set with high precision, recall, and f-score. Although multilayer perceptron has a high recall, it suffers from a lower precision and f-score compared to the other two classifiers.

Xuebin Wang,Qingfeng Tan,Jinqiao Shi,Shen Su,Meiqi Wang

DOI: https://doi.org/10.1109/dsc.2018.00077

2018-01-01

Abstract:With the rapid development of information technology, office automation is continuously improving. The data leakage problem resulting from insider threats is getting worse, legitimate users may abuse privileges or masquerade as other users, which may result in the loss of data. In this paper, a new data-centric approach is proposed to detect insider threat, which based on characterizing user behavior by extracting the features of user interaction behavior including keystroke dynamics and consecutive queries to model users' access patterns. Statistical learning algorithms are trained and tested from opening dataset to predict abnormal behavior patterns; experimental results indicate that the approach is very effective and accurate.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Zhiyuan Wei,Usman Rauf,Fadi Mohsen,Wei, Zhiyuan,Rauf, Usman,Mohsen, Fadi

DOI: https://doi.org/10.1007/s12243-024-01023-7

2024-04-04

Annals of Telecommunications

Abstract:Insider threats refer to harmful actions carried out by authorized users within an organization, posing the most damaging risks. The increasing number of these threats has revealed the inadequacy of traditional methods for detecting and mitigating insider threats. These existing approaches lack the ability to analyze activity-related information in detail, resulting in delayed detection of malicious intent. Additionally, current methods lack advancements in addressing noisy datasets or unknown scenarios, leading to under-fitting or over-fitting of the models. To address these, our paper presents a hybrid insider threat detection framework. We not only enhance prediction accuracy by incorporating a layer of statistical criteria on top of machine learning-based classification but also present optimal parameters to address over/under-fitting of models. We evaluate the performance of our framework using a real-life threat test dataset (CERT r4.2) and compare it to existing methods on the same dataset (Glasser and Lindauer 2013). Our initial evaluation demonstrates that our proposed framework achieves an accuracy of 98.48% in detecting insider threats, surpassing the performance of most of the existing methods. Additionally, our framework effectively handles potential bias and data imbalance issues that can arise in real-life scenarios.

telecommunications

Preetam Pal,Pratik Chattopadhyay,Mayank Swarnkar

DOI: https://doi.org/10.1016/j.eswa.2023.119925

IF: 8.5

2023-03-23

Expert Systems with Applications

Abstract:Nowadays, insider attacks are emerging as one of the top cybersecurity threats. However, the detection of insider threats is a more arduous task for many reasons. A significant cause is the availability of various data types related to insider activities and their possible behavioral drift. Another major reason is that threat activities rarely happen within any organizational environment and usually remain submerged within a massive amount of normal activities thereby creating data imbalance issues. Any insider threat event requires three major components to get materialized: proper motivation, suitable opportunity and a minimum skill set. The simultaneous occurrence of all these elements is rarely found in organizational environment compared to regular activity traits, and the data imbalance thus caused makes accurate detection of threat activities quite challenging. Existing insider threat detection techniques are mainly divided into statistical rule-based, machine learning-based, and deep learning-based methods. Although recent deep learning methods have been found to extract intrinsic behavioral properties from users' activity patterns more effectively than traditional rule-based and machine-learning methods by utilizing their multilayer architecture. But sporadic approaches prioritize critical sections of activity patterns in their detection scheme. Also, rare methods focused on taking advantage of multiple deep learning-based feature extraction models together in their detection scheme. Finally, rare methods have adequately focused on data imbalance issues, especially over the unequal proportion of different categories of threat instances. In this paper, we proposed an insider threat detection approach using an ensemble of stacked-LSTM and stacked-GRU-based attention models. Our models are first trained on the user's single-day sequential activity logs. Then a stacked ensemble of trained attention models is used to extract the user's single-day activity information in the form of the feature vector, which is finally used for classification. To address the data imbalance issues, we propose a new equally-weighted random sampling approach for balancing the population of the different categories of threat patterns. We randomly undersample the nonmalicious instances followed by random oversampling of the different categories of threat instances in an equally-weighted manner so that the training models can learn the behavioral characteristics of the different types of insider activity instances without getting biased towards any particular type, which is a major limitation of random oversampling and random undersampling-based techniques. Experiments have been performed on the different versions of the CMU CERT insider threat datasets. For robust evaluation, stratified division-based train-test sets have been used based on different categories of insider activities. An average AUC of 0.99 on CMU CERT v4.2 and v5.2 datasets and 0.97 on its v6.2 dataset shows the robustness of the proposed approach in detecting insider threats.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Zhihong Tian,Wei Shi,Zhiyuan Tan,Jing Qiu,Yanbin Sun,Feng Jiang,Yan Liu

DOI: https://doi.org/10.1007/s11036-020-01656-7

2020-10-09

Mobile Networks and Applications

Abstract:Organizations' own personnel now have a greater ability than ever before to misuse their access to critical organizational assets. Insider threat detection is a key component in identifying rare anomalies in context, which is a growing concern for many organizations. Existing perimeter security mechanisms are proving to be ineffective against insider threats. As a prospective filter for the human analysts, a new deep learning based insider threat detection method that uses the Dempster-Shafer theory is proposed to handle both accidental as well as intentional insider threats via organization's channels of communication in real time. The long short-term memory (LSTM) architecture together with multi-head attention mechanism is applied in this work to detect anomalous network behavior patterns. Furthermore, belief is updated with Dempster's conditional rule and utilized to fuse evidence to achieve enhanced prediction. The CERT Insider Threat Dataset v6.2 is used to train the behavior model. Through performance evaluation, our proposed method is proven to be effective as an insider threat detection technique.

computer science, information systems,telecommunications, hardware & architecture

Shihong Zou,Huizhong Sun,Guosheng Xu,Ruijie Quan

DOI: https://doi.org/10.32604/cmc.2020.09649

2020-01-01

Abstract:In the information era, the core business and confidential information of enterprises/organizations is stored in information systems. However, certain malicious inside network users exist hidden inside the organization; these users intentionally or unintentionally misuse the privileges of the organization to obtain sensitive information from the company. The existing approaches on insider threat detection mostly focus on monitoring, detecting, and preventing any malicious behavior generated by users within an organization's system while ignoring the imbalanced ground-truth insider threat data impact on security. To this end, to be able to detect insider threats more effectively, a data processing tool was developed to process the detected user activity to generate information -use events, and formulated a Data Adjustment (DA) strategy to adjust the weight of the minority and majority samples. Then, an efficient ensemble strategy was utilized, which applied the extreme gradient boosting (XGBoost) model combined with the DA strategy to detect anomalous behavior. The CERT dataset was used for an insider threat to evaluate our approach, which was a real-world dataset with artificially injected insider threat events. The results demonstrated that the proposed approach can effectively detect insider threats, with an accuracy rate of 99.51% and an average recall rate of 98.16%. Compared with other classifiers, the detection performance is improved by 8.76%.

Junhong Kim,Minsik Park,Haedong Kim,Suhyoun Cho,Pilsung Kang,Kim,Park,Kim,Cho,Kang

DOI: https://doi.org/10.3390/app9194018

2019-09-25

Applied Sciences

Abstract:Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Weiyu He,Xu Wu,Jingchen Wu,Xiaqing Xie,Lirong Qiu,Lijuan Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00089

2021-10-01

Abstract:Insider threat makes enterprises or organizations suffer from the loss of property and the negative influence of reputation. User behavior analysis is the mainstream method of insider threat detection, but due to the lack of fine-grained detection and the inability to effectively capture the behavior patterns of individual users, the accuracy and precision of detection are insufficient. To solve this problem, this paper designs an insider threat detection method based on user historical behavior and attention mechanism, including using Long Short Term Memory (LSTM) to extract user behavior sequence information, using Attention-based on user history behavior (ABUHB) learns the differences between different user behaviors, uses Bidirectional-LSTM (Bi-LSTM) to learn the evolution of different user behavior patterns, and finally realizes fine-grained user abnormal behavior detection. To evaluate the effectiveness of this method, experiments are conducted on the CMU-CERT Insider Threat Dataset. The experimental results show that the effectiveness of this method is 3.1% to 6.3% higher than that of other comparative model methods, and it can detect insider threats in different user behaviors with fine granularity.