Hunting for Insider Threats Using LSTM-Based Anomaly Detection

Villarreal-Vasquez, Miguel; Howard, Gaspar Modelo; Dube, Simant; Bhargava, Bharat

doi:10.1109/tdsc.2021.3135639

Cited by 8 publications

(6 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Then, they regard behaviors with significant differences from the predicted results as abnormal behaviors. For example, Villarreal-Vasquez et al (2023) use LSTM to model system event sequences and predict the probability of the next event, with low-probability events being considered anomalous events. A similar approach is also used by Yuan et al (2019).…”

Section: Anomaly-based Detectionmentioning

confidence: 99%

“…Furthermore, we directly compare our scheme with 4 classical or novel anomaly-based insider threat detection schemes, which include the works of Tuor et al (2017), Meng et al (2020), Dr et al (2022), andVillarreal-Vasquez et al (2023). Table 4 shows the experimental results of our scheme and the other 4 schemes on the same CERT v6.2 dataset.…”

Section: Comparison Experiments With Anomaly-based Schemesmentioning

confidence: 99%

“…Thanks to the deep structure, deep learning is considered more suitable for analyzing complex user behaviors. Deep learning techniques currently utilized for detecting insider threats include deep autoencoder (Liu et al 2018;Tuor et al 2017;Chattopadhyay et al 2018), DBN (Lin et al 2017), CNN (Hu et al 2019;Bu and Cho 2020), RNN (Zhang et al 2018;Yuan et al 2019;Tuor et al 2017;Nasir et al 2021;Dr et al 2022;Villarreal-Vasquez et al 2023), Transformer , isomorphic graph representation learning (Jiang et al 2019), heterogeneous graph representation learning (Liu et al 2019), etc. To the best of our knowledge, however, existing deep learningbased insider threat detection studies pay little attention to the behavior time information that has a strong connection to insider threat behaviors, which makes the studies less effective at detecting insider threats.…”

Section: Introductionmentioning

confidence: 99%

“…of Tuor et al (2017), the work ofMeng et al (2020), the work ofDr et al (2022) and the work ofVillarreal-Vasquez et al (2023). There are 2 classification-based baselines, which are the works ofYuan et al (…”

mentioning

confidence: 99%

See 3 more Smart Citations

BRITD: behavior rhythm insider threat detection with time awareness and user adaptation

Song,

Gao,

Zhang

et al. 2024

Cybersecurity

View full text Add to dashboard Cite

Researchers usually detect insider threats by analyzing user behavior. The time information of user behavior is an important concern in internal threat detection. Existing works on insider threat detection fail to make full use of the time information, which leads to their poor detection performance. In this paper, we propose a novel behavioral feature extraction scheme: we implicitly encode absolute time information in the behavioral feature sequences and use a feature sequence construction method taking covariance into account to make our scheme adaptive to users. We select Stacked Bidirectional LSTM and Feedforward Neural Network to build a deep learning-based insider threat detection model: Behavior Rhythm Insider Threat Detection (BRITD). BRITD is universally applicable to various insider threat scenarios, and it has good insider threat detection performance: it achieves an AUC of 0.9730 and a precision of 0.8072 with the CMU CERT dataset, which exceeds all baselines. Graphical Abstract

show abstract

Section: Anomaly-based Detectionmentioning

confidence: 99%

Section: Comparison Experiments With Anomaly-based Schemesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

BRITD: behavior rhythm insider threat detection with time awareness and user adaptation

Song,

Gao,

Zhang

et al. 2024

Cybersecurity

View full text Add to dashboard Cite

show abstract

“…Villarreal-Vasquez et al [29] present LADOHD (LSTMbased Anomaly Detector Over High-dimensional Data), a generic LSTM-based anomaly detection framework to protect against insider threats. The training data contain the behavior of different actors collected by monitoring 30 isolated machines operated in normal situation where no attack was reported during the collection period.…”

Section: Existing Work On Anomaly Detectionmentioning

confidence: 99%

Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata

Baee,

Simpson,

Armstrong

2024

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

Large scale enterprise networks often use Enterprise Key-Management (EKM) platforms for unified management of cryptographic keys. In such a system, requests and responses commonly use the Key Management Interoperability Protocol (KMIP) format. The KMIP client and server use Transport Layer Security (TLS) to negotiate a mutually-authenticated connection. Although KMIP traffic is encrypted, monitoring traffic and usage patterns of EKM Systems (EKMS) may enable detection of anomalous (possibly malicious) activity in the enterprise network that is not detectable by other means. Metadata analysis of enterprise system traffic has been widely studied (for example at the TLS protocol level). However, KMIP metadata in EKMS has not been used for anomaly detection. In this paper, we present a framework for automated outlier rejection and anomaly detection. This involves investigation of KMIP metadata, determining characteristics to extract for dataset generation, and looking for patterns from which behaviors can be inferred. For automated labeling and detection, a deep learning-based model is applied to the generated datasets: Long Short-Term Memory (LSTM) auto-encoder neural networks with specific parameters. This generates heuristics based on categories of behavior. As a proof of concept, we simulated an enterprise environment, collected relevant KMIP metadata, and deployed this framework. Although our implementation used QuintessenceLabs EKMS, the framework we proposed is vendor neutral. The experimental results (Precision, Recall, and F1 = 1.0) demonstrate that our framework can accurately detect all anomalous enterprise network activities. This approach could be integrated with other enterprise information to enhance detection capabilities. Further, our proposal can be used as a general-purpose framework for anomaly detection and diagnosis.INDEX TERMS KMIP metadata analysis, deep learning, anomaly detection, enterprise key-management system, framework.

show abstract

M-EOS: modified-equilibrium optimization-based stacked CNN for insider threat detection

Anju,

Krishnamurthy

2024

Wireless Netw

View full text Add to dashboard Cite

Hunting for Insider Threats Using LSTM-Based Anomaly Detection

Cited by 8 publications

References 32 publications

BRITD: behavior rhythm insider threat detection with time awareness and user adaptation

BRITD: behavior rhythm insider threat detection with time awareness and user adaptation

Anomaly Detection in the Key-Management Interoperability Protocol Using Metadata

M-EOS: modified-equilibrium optimization-based stacked CNN for insider threat detection

Contact Info

Product

Resources

About