Preetam Pal,Pratik Chattopadhyay,Mayank Swarnkar

DOI: https://doi.org/10.1016/j.eswa.2023.119925

IF: 8.5

2023-03-23

Expert Systems with Applications

Abstract:Nowadays, insider attacks are emerging as one of the top cybersecurity threats. However, the detection of insider threats is a more arduous task for many reasons. A significant cause is the availability of various data types related to insider activities and their possible behavioral drift. Another major reason is that threat activities rarely happen within any organizational environment and usually remain submerged within a massive amount of normal activities thereby creating data imbalance issues. Any insider threat event requires three major components to get materialized: proper motivation, suitable opportunity and a minimum skill set. The simultaneous occurrence of all these elements is rarely found in organizational environment compared to regular activity traits, and the data imbalance thus caused makes accurate detection of threat activities quite challenging. Existing insider threat detection techniques are mainly divided into statistical rule-based, machine learning-based, and deep learning-based methods. Although recent deep learning methods have been found to extract intrinsic behavioral properties from users' activity patterns more effectively than traditional rule-based and machine-learning methods by utilizing their multilayer architecture. But sporadic approaches prioritize critical sections of activity patterns in their detection scheme. Also, rare methods focused on taking advantage of multiple deep learning-based feature extraction models together in their detection scheme. Finally, rare methods have adequately focused on data imbalance issues, especially over the unequal proportion of different categories of threat instances. In this paper, we proposed an insider threat detection approach using an ensemble of stacked-LSTM and stacked-GRU-based attention models. Our models are first trained on the user's single-day sequential activity logs. Then a stacked ensemble of trained attention models is used to extract the user's single-day activity information in the form of the feature vector, which is finally used for classification. To address the data imbalance issues, we propose a new equally-weighted random sampling approach for balancing the population of the different categories of threat patterns. We randomly undersample the nonmalicious instances followed by random oversampling of the different categories of threat instances in an equally-weighted manner so that the training models can learn the behavioral characteristics of the different types of insider activity instances without getting biased towards any particular type, which is a major limitation of random oversampling and random undersampling-based techniques. Experiments have been performed on the different versions of the CMU CERT insider threat datasets. For robust evaluation, stratified division-based train-test sets have been used based on different categories of insider activities. An average AUC of 0.99 on CMU CERT v4.2 and v5.2 datasets and 0.97 on its v6.2 dataset shows the robustness of the proposed approach in detecting insider threats.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science