User Behavior Profiling using Ensemble Approach for Insider Threat Detection

Singh, Malvika; Mehtre, Babu M.; Sangeetha, S.

doi:10.1109/isba.2019.8778466

Cited by 25 publications

(14 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…De-noising autoencoders has been used for encoding user log file in [24], while anomalous data has been identified using integrated methods like GMM, buck covariance, OCSVM, isolation forest and local outlier factor. In [29] Multi State Long Short Term Memory (MSLSTM) and CNN based hybrid ML approach has been introduced which works by using time series anomaly detection method for outlier detection in user behavioral patterns. Aspect based sentiment analysis and social network information of the user using hybrid DL techniques such as Gated Recurrent Unit (GRU) and skipgram are proposed in [30] to detect insider threat.…”

Section: User Behavior Based Insider Detection Techniquesmentioning

confidence: 99%

“…It is also observed that most Role based or Behavior based techniques produce significant quantitative results as compared to graph based and other techniques. The most widely used technique is LSTM [5], [10], [14], [19], [29], [32]. Another widely used technique is Deep AutoEncoders [4], [24], it has the ability to be used on real valued datasets and are quick & concise.…”

Section: A Comparative Study Of Existing Techniquesmentioning

confidence: 99%

See 1 more Smart Citation

Behavioral Based Insider Threat Detection Using Deep Learning

et al. 2021

View full text Add to dashboard Cite

The most detrimental cyber attacks are usually not originated by malicious outsiders or malware but from trusted insiders. The main advantage insider attackers have over external elements is their ability to bypass security checks and remain undiscovered, this may cause serious damage to the organizational assets.This paper focuses on insider threat detection through behavioral analysis of users. User behavior is categorized as normal or malicious based on user activity. A series of events and activities are analyzed for feature selection to efficiently detect adversarial behavior. Selected feature vectors are used for model training during the implementation phase. A deep learning based approach is proposed that detects insiders with greater accuracy and low false positive rate. A rich event / user role based feature set containing Logon/Logoff events, User_role, Functional_unit etc are used for detection. The dataset used is the CMU CERT synthetic insider threat dataset r4.2. Performance of our proposed algorithm has been compared to other well-known techniques i.e. long short term Memory-convolutional neural network, random forest, long short term memory-recurrent neural network, one class support vector machine , Markov chain model,multi state long short term memory & convolutional neural network, gated recurrent unit & skipgram. The comparison proved that our novel approach produces relatively good accuracy( 90.60%), precision(97%) and F1 Score (94%).

show abstract

Section: User Behavior Based Insider Detection Techniquesmentioning

confidence: 99%

Section: A Comparative Study Of Existing Techniquesmentioning

confidence: 99%

Behavioral Based Insider Threat Detection Using Deep Learning

et al. 2021

View full text Add to dashboard Cite

show abstract

“…A abordagem proposta compreendeu a extração automatizada de recursos usando Word2vec e detecção de ameaças internas usando um codificador automático. E, finalmente, [Singh et al 2019] também abordaram a questão da ameaça interna, como propuseram [Liu et al 2019], entretanto estes autores ofereceram uma proposta que consiste em um LSTM modificado como LSTM de vários estados, sendo semelhante ao Processamento de Linguagem Natural (PLN) para aprender a linguagem de comportamento do usuário.…”

Section: Trabalhos Realizadosunclassified

“…Da análise dos trabalhos relacionados com o uso de ML em DLPS para detecção de exfiltração de dados, pode-se perceber que ainda não existem trabalhos que identifiquem o uso do HDFS em proveito de uma ação hacker, apesar da existência desta lacuna de estudo, conforme apresentada na subseção "Segurança em HDFS". Ainda assim, os trabalhos de [Liu et al 2019] e [Singh et al 2019] apresentaram abordagens relacionadas a ameças internas e em comparação com este framework, a diferença existe na origem do emissor, pois nesta pesquisa, aborda-se a ação de malware de exfiltração e não a ação de usuários mal intencionados. Entretanto, a pesquisa de [Singh et al 2019] apresenta o uso de dados em claro, sendo esta possibilidade descartada neste framework, pois o conteúdo internoé criptografado, restando apenas a possibilidade de análise de metadados.…”

Section: Framework Para Detecção De Exfiltração Em Hdfs Baseado Em Dlpsunclassified

DLPS baseado em Deep Learning: Nova Abordagem para Detecção de Exfiltração em HDFS

Martins

Weigang

García

et al. 2021

Anais Do X Brazilian Workshop on Social Network Analysis and Mining (BraSNAM 2021)

View full text Add to dashboard Cite

Este artigo descreve segurança cibernética aplicada a Mídias Sociais com ênfase no uso de HDFS para armazenamento e processamento de grandes volumes de dados. O objetivo foi desenvolver um framework de DLPS baseado em ML que melhore a precisão na identificação de vazamento de dados em estruturas de HDFS. Assim, identificou-se as principais categorias de abordagens em segurança cibernética, no âmbito de HDFS, em comparação com Framework MITRE ATT&CK. Lacunas de pesquisas foram identificadas, em trabalhos realizados envolvendo DLPS e Machine Learning, oferecendo a necessidade do desenvolvimento de soluções correlacionadas. Um framework baseado em Deep Learning aplicado aos metadados e logs do Hadoop é proposto como solução para melhorar a detecção de exfiltração.

show abstract

“…GUI interactions, including keyboard activity and mouse movements were modeled via SVM in [85] and random forest applied to Microsoft Word interactions in [86]. Recurrent and convolutional neural networks were employed in [87] to model the temporal behavior of various user behaviors, like logon times, and types of applications and amounts of data accessed, to detect anomalies. These models perform comparably the collection of methods discussed in [88].…”

Section: Host-based Indicatorsmentioning

confidence: 99%

Role-based lateral movement detection with unsupervised learning

Powell¹

2021

Preprint

View full text Add to dashboard Cite

Adversarial lateral movement via compromised accounts remains difficult to discover via traditional rule-based defenses because it generally lacks explicit indicators of compromise. We propose a behavior-based, unsupervised framework comprising two methods of lateral movement detection on enterprise networks: one aimed at generic lateral movement via either exploit or authenticated connections, and one targeting the specific techniques of process injection and hijacking. The first method is based on the premise that the role of a system-the functions it performs on the network-determines the roles of the systems it should make connections with. The adversary meanwhile might move between any systems whatever, possibly seeking out systems with unusual roles that facilitate certain accesses. We use unsupervised learning to cluster systems according to role and identify connections to systems with novel roles as potentially malicious. The second method is based on the premise that the temporal patterns of inter-system processes that facilitate these connections depend on the roles of the systems involved. If a process is compromised by an attacker, these normal patterns might be disrupted in discernible ways. We apply frequent-itemset mining to process sequences to establish regular patterns of communication between systems based on role, and identify rare process sequences as signalling potentially malicious connections.

show abstract

User Behavior Profiling using Ensemble Approach for Insider Threat Detection

Cited by 25 publications

References 8 publications

Behavioral Based Insider Threat Detection Using Deep Learning

Behavioral Based Insider Threat Detection Using Deep Learning

DLPS baseado em Deep Learning: Nova Abordagem para Detecção de Exfiltração em HDFS

Role-based lateral movement detection with unsupervised learning

Contact Info

Product

Resources

About