A New Take on Detecting Insider Threats

Rashid, Tabish; Agrafiotis, Ioannis; Nurse, Jason R. C.

doi:10.1145/2995959.2995964

Cited by 114 publications

(22 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It should be noted here that the results are obtained from a single trained model on numerical data in each data types, instead of a model for each user on sequential data as in HMM‐based approaches 21,22 . The obtained results are also comparable with what achieved using HMM (on CERT r4.2 weekly data) in Rashid et al 21 and Le and Zincir‐Heywood 22 . Furthermore, the anomaly detection models make no assumptions about the “purity” of the training data, unlike one class SVM‐based approaches.…”

Section: Evaluation and Resultssupporting

confidence: 68%

“…Gavai et al applied different machine learning‐based methods on organizational activity data for anomaly and quitter detection, 17 which are considered the indicators of potential insider‐related activities. More recently, Rashid et al used HMMs to model users' weekly activity sequences and detect possible insider threats from the subtle changes in weekly user activities, which are indicated by HMM probabilities (of user sequences) that are lower than a given threshold 21 . Self‐organizing maps, another unsupervised learning algorithm, has been used in Le and Zincir‐Heywood 22 for clustering and visualization of normal and insider user activities.…”

Section: Related Workmentioning

confidence: 99%

“…In the following, we present two methods that are employed for modelling user data and generating the distance metric: autoencoder‐based and distance distribution‐based outlier detection. The methods are popularly applied on the numerical data format extracted in this work, 32 unlike HMM, which require a sequential data format 21,22 . Furthermore, with the assumption that normal user data accounts for the vast majority of data, 41 the employed methods make no requirements on training data label; that is, all of the data can be used for training as opposed to strictly “normal” data.…”

Section: System Overviewmentioning

confidence: 99%

See 2 more Smart Citations

Exploring anomalous behaviour detection and classification for insider threat identification

Zincir-Heywood

2020

Int J Network Mgmt

View full text Add to dashboard Cite

Summary Recently, malicious insider threats represent one of the most damaging threats to companies and government agencies. Insider threat detection is a highly skewed data analysis problem, where the huge class imbalance makes the adaptation of learning algorithms to the real‐world context very difficult. This study proposes a new system for user‐centred machine learning‐based anomaly behaviour and insider threat detection on multiple data granularity levels. System evaluations and analysis are performed not only on individual data instances but also on normal and malicious users. Our results show that the proposed system, which is a combination of unsupervised anomaly detection and supervised machine learning methods, can learn from unlabelled data and a very small amount of labelled data. Furthermore, it can generalize to bigger datasets for detecting anomalous behaviours and unseen malicious insiders with a high detection and a low false‐positive rate.

show abstract

Section: Evaluation and Resultssupporting

confidence: 68%

Section: Related Workmentioning

confidence: 99%

Section: System Overviewmentioning

confidence: 99%

See 1 more Smart Citation

Exploring anomalous behaviour detection and classification for insider threat identification

Zincir-Heywood

2020

Int J Network Mgmt

View full text Add to dashboard Cite

show abstract

“…If the data had a large edit distance from all patterns in the dictionaries, it was detected as an anomaly. In other anomaly detection approaches, the sequences of insiders acts are modeled to detect any deviations from such sequences [30,31]. The authors in [31] employed a Hidden Markov Model to model the sequences of normal users acts in a weekly basis, thus, any anomalous acts are detected they were considered as potential insider threats.…”

Section: Related Workmentioning

confidence: 99%

An Insider Data Leakage Detection Using One-Hot Encoding, Synthetic Minority Oversampling and Machine Learning Techniques

Al-Shehari

Alsowail

2021

Entropy

View full text Add to dashboard Cite

Insider threats are malicious acts that can be carried out by an authorized employee within an organization. Insider threats represent a major cybersecurity challenge for private and public organizations, as an insider attack can cause extensive damage to organization assets much more than external attacks. Most existing approaches in the field of insider threat focused on detecting general insider attack scenarios. However, insider attacks can be carried out in different ways, and the most dangerous one is a data leakage attack that can be executed by a malicious insider before his/her leaving an organization. This paper proposes a machine learning-based model for detecting such serious insider threat incidents. The proposed model addresses the possible bias of detection results that can occur due to an inappropriate encoding process by employing the feature scaling and one-hot encoding techniques. Furthermore, the imbalance issue of the utilized dataset is also addressed utilizing the synthetic minority oversampling technique (SMOTE). Well known machine learning algorithms are employed to detect the most accurate classifier that can detect data leakage events executed by malicious insiders during the sensitive period before they leave an organization. We provide a proof of concept for our model by applying it on CMU-CERT Insider Threat Dataset and comparing its performance with the ground truth. The experimental results show that our model detects insider data leakage events with an AUC-ROC value of 0.99, outperforming the existing approaches that are validated on the same dataset. The proposed model provides effective methods to address possible bias and class imbalance issues for the aim of devising an effective insider data leakage detection system.

show abstract

“…al. [5] proposed a novel method to detect insider threats by using Hidden Markov Model (HMM). Given the user computer usage logs which contains detailed information about login / logoff, web access, USB connection, and email, they transform those logs to simple integer sequences by categorizing to seven event types.…”

Section: Related Workmentioning

confidence: 99%

Against Insider Threats with Hybrid Anomaly Detection with Local-Feature Autoencoder and Global Statistics (LAGS)

Jang

Ryu

Kim

et al. 2020

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Internal user threats such as information leakage or system destruction can cause significant damage to the organization, however it is very difficult to prevent or detect this attack in advance. In this paper, we propose an anomaly-based insider threat detection method with local features and global statistics over the assumption that a user shows different patterns from regular behaviors during harmful actions. We experimentally show that our detection mechanism can achieve superior performance compared to the state of the art approaches for CMU CERT dataset.

show abstract

A New Take on Detecting Insider Threats

Abstract: The version in the Kent Academic Repository may differ from the final published version. Users are advised to check http://kar.kent.ac.uk for the status of the paper. Users should always cite the published version of record.

Cited by 114 publications

References 18 publications

Exploring anomalous behaviour detection and classification for insider threat identification

Exploring anomalous behaviour detection and classification for insider threat identification

An Insider Data Leakage Detection Using One-Hot Encoding, Synthetic Minority Oversampling and Machine Learning Techniques

Against Insider Threats with Hybrid Anomaly Detection with Local-Feature Autoencoder and Global Statistics (LAGS)

Contact Info

Product

Resources

About