Rui Zhang,Xiaojun Chen,Jinqiao Shi,Fei Xu,Yiguo Pu

DOI: https://doi.org/10.1007/978-3-319-11119-3_35

2014-01-01

Abstract:In recent years, the major source of information leakage is due to insiders. In order to detect information leakage by some internal insiders, anomaly detection using individual and community behavior models have been developed. The basic assumption of anomaly detection is each user has his/her own profile of activities and anomaly detection algorithm attempts to identify any deviation from the basic profile by each user. Both models neglected the possibility of change of individual user profile, e.g. change of individual interests. We propose here an anomaly detection model of insider threat using file content. The proposed model uses the document segmentation and Naive Bayes algorithm to classify the contents of files in an organization. We then set up the correlation matrices between users and their interests, and also the user community and their interests. We then propose a comprehensive model to detect the insider threat, which takes into consideration of the deviations of individual users' current behaviors, their historical behaviors and their associated community behaviors simultaneously. According to the experimental test results, the proposed model can successfully detect the anomaly access to files in the internal systems.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Qiujian Lv,Yan Wang,Leiqi Wang,Dan Wang

DOI: https://doi.org/10.1109/ICNIDC.2018.8525804

2018-01-01

Abstract:Organizations are experiencing an ever-growing concern of how to identify and defend against insider threats. Existing methods have distinguished the minority of users who show suspicious behavior from the majority of users. However, these methods failed to apply the features reflecting the deviation between the behaviors of users and those of their user groups within the similar job roles. This paper focuses on insider threat detection by conducting both user and role behaviors analysis. It extracts multiple features that represent the details of activities conducted by each user and their deviations from the behaviors of their user groups. The malicious users are then detected by using an unsupervised algorithm, Isolation Forest Algorithm, which evaluates the variance that each user exhibits across multiple attributes, compared against the other users. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the data lasting 17 months. We compare the proposed method with an existing state-of-the-art method and the results demonstrate the robust performance of the proposed detection method.

Xiao Zhang,Yutong Meng

DOI: https://doi.org/10.1038/s41598-024-68315-9

IF: 4.6

2024-08-02

Scientific Reports

Abstract:Internal employees have always been at the core of organizational security management challenges. Once an employee exhibits behaviors that threaten the organization, the resulting damage can be profound. Therefore, analyzing reasonably stored behavioral data can equip managers with effective threat monitoring and warning solutions. Through data-mining, a knowledge graph for internal threat data is deduced, and models for detecting anomalous behaviors and predicting resignations are developed. Initially, data-mining is employed to model the knowledge ontology of internal threats and construct the knowledge graph; subsequently, using the behavioral characteristics, the BP neural network is optimized with the Sparrow Search Algorithm (SSA), establishing a detection model for anomalous behaviors (SBP); additionally, behavioral sequences are processed through data feature vectorization. Utilizing SBP, the LSTM network is further optimized, creating a predictive model for employee behaviors (SLSTM); ultimately, SBP detects anomalous behaviors, while SLSTM predicts resignation intentions, thus enhancing detection strategies for at-risk employees. The integration of these models forms a comprehensive threat detection technology within the organization. The efficacy and practicality of detecting anomalous behaviors and predicting resignations using SBP and SLSTM are demonstrated, comparing them with other algorithms and analyzing potential causes of misjudgment. This work has enhanced the detection efficiency and update speed of abnormal employee behaviors, lowered the misjudgment rate, and significantly mitigated the impact of internal threats on the organization.

multidisciplinary sciences

Nan Cao,Conglei Shi,Sabrina Lin,Jie Lu,Yu-Ru Lin,Ching-Yung Lin

DOI: https://doi.org/10.1109/tvcg.2015.2467196

IF: 5.2

2015-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Users with anomalous behaviors in online communication systems (e.g. email and social medial platforms) are potential threats to society. Automated anomaly detection based on advanced machine learning techniques has been developed to combat this issue; challenges remain, though, due to the difficulty of obtaining proper ground truth for model training and evaluation. Therefore, substantial human judgment on the automated analysis results is often required to better adjust the performance of anomaly detection. Unfortunately, techniques that allow users to understand the analysis results more efficiently, to make a confident judgment about anomalies, and to explore data in their context, are still lacking. In this paper, we propose a novel visual analysis system, TargetVue, which detects anomalous users via an unsupervised learning model and visualizes the behaviors of suspicious users in behavior-rich context through novel visualization designs and multiple coordinated contextual views. Particularly, TargetVue incorporates three new ego-centric glyphs to visually summarize a user's behaviors which effectively present the user's communication activities, features, and social interactions. An efficient layout method is proposed to place these glyphs on a triangle grid, which captures similarities among users and facilitates comparisons of behaviors of different users. We demonstrate the power of TargetVue through its application in a social bot detection challenge using Twitter data, a case study based on email records, and an interview with expert users. Our evaluation shows that TargetVue is beneficial to the detection of users with anomalous communication behaviors.

Bin Lv,Dan Wang,Yan Wang,Qiujian Lv,Dan Lu

DOI: https://doi.org/10.1007/978-3-319-94268-1_28

2018-01-01

Abstract:Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many people. A number of techniques have been proposed to detect insider threats by comparing behaviors among different individuals or by comparing the behaviors across different time periods of the same individual. However, both of them always fail to identify the certain kinds of inside threats due to the fact that the behaviors of insider threats are complex and diverse. To deal with this issue, this paper focuses on constructing a hybrid model to detect insider threats based on multi-dimensional features. First, an Across-Domain Anomaly Detection (ADAD) model is proposed to identify anomalous behaviors that deviate from the behaviors of their peers based on the isolation Forest algorithm. Second, an Across-Time Anomaly Detection (ATAD) model is proposed to measure the degree of unusual changes of a user's behavior based on an improved Markov model. What's more, we propose a hybrid model to integrate the evidence from the above two models ADAD and ATAD. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the 17-month data. The experimental results show that the ADAD and ATAD models are robust and the hybrid model can outperform the two separated models obviously.

Junhong Kim,Minsik Park,Haedong Kim,Suhyoun Cho,Pilsung Kang,Kim,Park,Kim,Cho,Kang

DOI: https://doi.org/10.3390/app9194018

2019-09-25

Applied Sciences

Abstract:Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Guang Yang,Lijun Cai,Yuaimin,Jiangang Ma,Dan Meng,Yu Wu

DOI: https://doi.org/10.1109/bigdataservice.2018.00011

2018-01-01

Abstract:The insider threat continues to be a paramount cyber security challenge that threatens individuals, financial enterprises and governmental organizations. To deter insider threats, traditional detection, which mainly focuses on policy checks and anomaly detection for users' computers and network activities, has been studied widely. However, because insiders have intrinsic authorized access at attack under normal behavior profiles, it is necessary to integrate the attackers' psychological characteristics. This work proposes a novel detection approach for potential malicious insiders based on a comprehensive security psychological model derived from Big-5 and Dark Triad personality traits, overcoming the biased choice and equality hypothesis problems in previous work. Moreover, the threat confidence degree is proposed to identify pseudo abnormal users and to markedly reduce the false positive rate. The experimental results illustrate the effectiveness and feasibility of the proposed approach, which has a very low false negative rate, and lay the foundation for a promising insider threat detection approach that integrates the attackers' psychological traits with the attack-chain characteristics.

Wei Jiang,Yuan Tian,Weixin Liu,Wenmao Liu

DOI: https://doi.org/10.1007/978-3-030-00828-4_43

2018-01-01

Abstract:Insider threat has always been an important hidden danger of information system security, and the detection of insider threat is the main concern of information system organizers. Before the anomaly detection, the process of feature extraction often causes a part of information loss, and the detection of insider threats in a single time point often causes false positives. Therefore, this paper proposes a user behavior analysis model, by aggregating user behavior in a period of time, comprehensively characterizing user attributes, and then detecting internal attacks. Firstly, the user behavior characteristics are extracted from the multi-domain features extracted from the audit log, and then the XGBoost algorithm is used to train. The experimental results on a user behavior dataset show that the XGBoost algorithm can be used to identify the insider threats. The value of F-measure is up to 99.96% which is better than SVM and random forest algorithm.

Diana Haidar,Mohamed Medhat Gaber,Yevgeniya Kovalchuk

DOI: https://doi.org/10.48550/arXiv.1812.00257

2018-12-02

Abstract:Insider threat detection is getting an increased concern from academia, industry, and governments due to the growing number of malicious insider incidents. The existing approaches proposed for detecting insider threats still have a common shortcoming, which is the high number of false alarms (false positives). The challenge in these approaches is that it is essential to detect all anomalous behaviours which belong to a particular threat. To address this shortcoming, we propose an opportunistic knowledge discovery system, namely AnyThreat, with the aim to detect any anomalous behaviour in all malicious insider threats. We design the AnyThreat system with four components. (1) A feature engineering component, which constructs community data sets from the activity logs of a group of users having the same role. (2) An oversampling component, where we propose a novel oversampling technique named Artificial Minority Oversampling and Trapper REmoval (AMOTRE). AMOTRE first removes the minority (anomalous) instances that have a high resemblance with normal (majority) instances to reduce the number of false alarms, then it synthetically oversamples the minority class by shielding the border of the majority class. (3) A class decomposition component, which is introduced to cluster the instances of the majority class into subclasses to weaken the effect of the majority class without information loss. (4) A classification component, which applies a classification method on the subclasses to achieve a better separation between the majority class(es) and the minority class(es). AnyThreat is evaluated on synthetic data sets generated by Carnegie Mellon University. It detects approximately 87.5% of malicious insider threats, and achieves the minimum of false positives=3.36%.

Machine Learning,Cryptography and Security

Yiru Gong,Susu Cui,Song Liu,Bo Jiang,Cong Dong,Zhigang Lu

DOI: https://doi.org/10.1016/j.comnet.2024.110757

IF: 5.493

2024-01-01

Computer Networks

Abstract:Insider threat detection has been a significant topic in recent years. However, as network technology develops, the intranet becomes more complex. Therefore, simply matching attack patterns or using traditional machine learning methods (Logistic Regression, Gaussian-NB, Random Forest, etc.) does not work well. On the other hand, the graph structure can better adapt to intranet data, thus graph-based insider threat detection methods have become mainstream. In order to study the design and effectiveness of graph-based insider threat detection, in this paper, we conduct a systematic and comprehensive survey of existing related research. Specifically, we provide a framework and a taxonomy based on the detection process, classifying existing work from three aspects: data collection, graph construction, and graph anomaly detection. We conduct a quantitative analysis of existing representative graph methods and find that the models with more information have better performance. In particular, we discuss the scalability of existing methods to large-scale networks and their feasibility in real environments. Based on the survey results, we propose 7 pain points in this field and provide specific future research directions. Our survey will provide future researchers with a complete solution.

Weiyu He,Xu Wu,Jingchen Wu,Xiaqing Xie,Lirong Qiu,Lijuan Sun

DOI: https://doi.org/10.1109/dsc53577.2021.00089

2021-10-01

Abstract:Insider threat makes enterprises or organizations suffer from the loss of property and the negative influence of reputation. User behavior analysis is the mainstream method of insider threat detection, but due to the lack of fine-grained detection and the inability to effectively capture the behavior patterns of individual users, the accuracy and precision of detection are insufficient. To solve this problem, this paper designs an insider threat detection method based on user historical behavior and attention mechanism, including using Long Short Term Memory (LSTM) to extract user behavior sequence information, using Attention-based on user history behavior (ABUHB) learns the differences between different user behaviors, uses Bidirectional-LSTM (Bi-LSTM) to learn the evolution of different user behavior patterns, and finally realizes fine-grained user abnormal behavior detection. To evaluate the effectiveness of this method, experiments are conducted on the CMU-CERT Insider Threat Dataset. The experimental results show that the effectiveness of this method is 3.1% to 6.3% higher than that of other comparative model methods, and it can detect insider threats in different user behaviors with fine granularity.

Djordje Mladenovic,Milos Antonijevic,Luka Jovanovic,Vladimir Simic,Miodrag Zivkovic,Nebojsa Bacanin,Tamara Zivkovic,Jasmina Perisic

DOI: https://doi.org/10.1038/s41598-024-77240-w

IF: 4.6

2024-10-30

Scientific Reports

Abstract:This study examines the formidable and complex challenge of insider threats to organizational security, addressing risks such as ransomware incidents, data breaches, and extortion attempts. The research involves six experiments utilizing email, HTTP, and file content data. To combat insider threats, emerging Natural Language Processing techniques are employed in conjunction with powerful Machine Learning classifiers, specifically XGBoost and AdaBoost. The focus is on recognizing the sentiment and context of malicious actions, which are considered less prone to change compared to commonly tracked metrics like location and time of access. To enhance detection, a term frequency-inverse document frequency-based approach is introduced, providing a more robust, adaptable, and maintainable method. Moreover, the study acknowledges the significant impact of hyperparameter selection on classifier performance and employs various contemporary optimizers, including a modified version of the red fox optimization algorithm. The proposed approach undergoes testing in three simulated scenarios using a public dataset, showcasing commendable outcomes.

multidisciplinary sciences

Zhihong Tian,Wei Shi,Zhiyuan Tan,Jing Qiu,Yanbin Sun,Feng Jiang,Yan Liu

DOI: https://doi.org/10.1007/s11036-020-01656-7

2020-10-09

Mobile Networks and Applications

Abstract:Organizations' own personnel now have a greater ability than ever before to misuse their access to critical organizational assets. Insider threat detection is a key component in identifying rare anomalies in context, which is a growing concern for many organizations. Existing perimeter security mechanisms are proving to be ineffective against insider threats. As a prospective filter for the human analysts, a new deep learning based insider threat detection method that uses the Dempster-Shafer theory is proposed to handle both accidental as well as intentional insider threats via organization's channels of communication in real time. The long short-term memory (LSTM) architecture together with multi-head attention mechanism is applied in this work to detect anomalous network behavior patterns. Furthermore, belief is updated with Dempster's conditional rule and utilized to fuse evidence to achieve enhanced prediction. The CERT Insider Threat Dataset v6.2 is used to train the behavior model. Through performance evaluation, our proposed method is proven to be effective as an insider threat detection technique.

computer science, information systems,telecommunications, hardware & architecture

Liu Liu,Chao Chen,Jun Zhang,Olivier De Vel,Yang Xiang

DOI: https://doi.org/10.1109/TrustCom50675.2020.00050

2020-01-01

Abstract:Since insider attacks have been recognised as one of the most critical cyber security threats to an organisation, detection of malicious insiders has received increasing attention in recent years. Previously, we proposed an approach that performs the detection by analysing various security logs with Word2vec, which not only removes the reliance on prior knowledge but also greatly simplifies the process of decision making and improves the interpretability of the alerts. In this paper, following the similar idea, a new Doc2vec based approach is proposed to overcome the previous approach's limitations: (1) the behaviour metrics can be acquired straightforwardly due to the Doc2vec's capability in inferring unseen texts of any length; (2) other than the temporal metrics, some spatial metrics can also be realised, providing a more comprehensive insight into the unusual behaviours; and (3) a range of corpora are produced by adopting different keywords to aggregate, each of which may be suited to a specific type of behaviour metrics. A large number of numerical experiments are conducted using the same benchmark insider threat database, for the purpose of testing how the corpora, metric and training parameters impact on the performance and be related to each other. The experiments demonstrate that the proposed approach can achieve a similar performance with greater simplicity and flexibility.

Kexiong Fei,Jiang Zhou,Yucan Zhou,Xiaoyan Gu,Haihui Fan,Bo Li,Weiping Wang,Yong Chen

DOI: https://doi.org/10.1016/j.cose.2024.104126

IF: 5.105

2024-09-21

Computers & Security

Abstract:Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency. We propose LaAeb , a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including attention , emotion , and behavior anomaly . The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees' daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, LaAeb employs anomaly detection algorithm like Isolation Forest to analyze an employee's malicious operations, and further detects the employee's behavior anomaly by considering all employees' acts in the same department. Finally, LaAeb consolidates detection results of three patterns indicative of insider threats in a comprehensive manner. We implement the prototype of LaAeb and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, LaAeb reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC (0.93) , and gets the best AUC (0.97) with 0.06 higher value on LANL dataset.

computer science, information systems

Chunrui Zhang,Shen Wang,Dechen Zhan,Tingyue Yu,Tiangang Wang,Mingyong Yin

DOI: https://doi.org/10.1155/2021/4148441

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Recent studies have highlighted that insider threats are more destructive than external network threats. Despite many research studies on this, the spatial heterogeneity and sample imbalance of input features still limit the effectiveness of existing machine learning-based detection methods. To solve this problem, we proposed a supervised insider threat detection method based on ensemble learning and self-supervised learning. Moreover, we propose an entity representation method based on TF-IDF to improve the detection effect. Experimental results show that the proposed method can effectively detect malicious sessions in CERT4.2 and CERT6.2 datasets, where the AUCs are 99.2% and 95.3% in the best case.

Xuebin Wang,Qingfeng Tan,Jinqiao Shi,Shen Su,Meiqi Wang

DOI: https://doi.org/10.1109/dsc.2018.00077

2018-01-01

Abstract:With the rapid development of information technology, office automation is continuously improving. The data leakage problem resulting from insider threats is getting worse, legitimate users may abuse privileges or masquerade as other users, which may result in the loss of data. In this paper, a new data-centric approach is proposed to detect insider threat, which based on characterizing user behavior by extracting the features of user interaction behavior including keystroke dynamics and consecutive queries to model users' access patterns. Statistical learning algorithms are trained and tested from opening dataset to predict abnormal behavior patterns; experimental results indicate that the approach is very effective and accurate.

Hui Wang,Guangcan Yang,Shufen Liu,Xing Li

DOI: https://doi.org/10.1109/iccis.2011.214

2011-01-01

Abstract:By monitoring daily behaviors of insiders in enterprise, we can establish the process information model which reflects behavioral characteristic of insiders based on Bayesian learning theory. There will be a warning happened in the system when an insider's behaviors are deviating from the characteristic model. If applying the method to address insider threat, we can effectively improve the security of internal network, and reduce risk & loss from insider threat.

Shihong Zou,Huizhong Sun,Guosheng Xu,Ruijie Quan

DOI: https://doi.org/10.32604/cmc.2020.09649

2020-01-01

Abstract:In the information era, the core business and confidential information of enterprises/organizations is stored in information systems. However, certain malicious inside network users exist hidden inside the organization; these users intentionally or unintentionally misuse the privileges of the organization to obtain sensitive information from the company. The existing approaches on insider threat detection mostly focus on monitoring, detecting, and preventing any malicious behavior generated by users within an organization's system while ignoring the imbalanced ground-truth insider threat data impact on security. To this end, to be able to detect insider threats more effectively, a data processing tool was developed to process the detected user activity to generate information -use events, and formulated a Data Adjustment (DA) strategy to adjust the weight of the minority and majority samples. Then, an efficient ensemble strategy was utilized, which applied the extreme gradient boosting (XGBoost) model combined with the DA strategy to detect anomalous behavior. The CERT dataset was used for an insider threat to evaluate our approach, which was a real-world dataset with artificially injected insider threat events. The results demonstrated that the proposed approach can effectively detect insider threats, with an accuracy rate of 99.51% and an average recall rate of 98.16%. Compared with other classifiers, the detection performance is improved by 8.76%.