An email content-based insider threat detection model using anomaly detection algorithms

Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

Applied Sciences ◽

10.3390/app9194018 ◽

2019 ◽

Vol 9 (19) ◽

pp. 4018 ◽

Cited By ~ 6

Author(s):

Kim ◽

Park ◽

Kim ◽

Cho ◽

Kang

Keyword(s):

Anomaly Detection ◽

User Behavior ◽

Behavior Modeling ◽

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Insider Threats ◽

Domain Experts ◽

User Behavior Modeling ◽

Detection Algorithms

Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Download Full-text

Advanced insider threat detection model to apply periodic work atmosphere

KSII Transactions on Internet and Information Systems ◽

10.3837/tiis.2019.03.035 ◽

2019 ◽

Vol 13 (3) ◽

Keyword(s):

Insider Threat ◽

Threat Detection ◽

Detection Model ◽

Work Atmosphere

Download Full-text

An Insider Threat Detection Method Based on Business Process Mining

International Journal of Business Data Communications and Networking ◽

10.4018/ijbdcn.2017070107 ◽

2017 ◽

Vol 13 (2) ◽

pp. 83-98 ◽

Cited By ~ 1

Author(s):

Taiming Zhu ◽

Yuanbo Guo ◽

Ankang Ju ◽

Jun Ma ◽

Xuan Wang

Keyword(s):

Business Process ◽

Process Mining ◽

Detection System ◽

Detection Methods ◽

Insider Threat ◽

Threat Detection ◽

Detection Algorithms ◽

Business Cases ◽

Business Process Mining ◽

And Performance

Current intrusion detection systems are mostly for detecting external attacks, but the “Prism Door” and other similar events indicate that internal staff may bring greater harm to organizations in information security. Traditional insider threat detection methods only consider the audit records of personal behavior and failed to combine it with business activities, which may miss the insider threat happened during a business process. The authors consider operators' behavior and correctness and performance of the business activities, propose a business process mining based insider threat detection system. The system firstly establishes the normal profiles of business activities and the operators by mining the business log, and then detects specific anomalies by comparing the content of real-time log with the corresponding normal profile in order to find out the insiders and the threats they have brought. The relating anomalies are defined and the corresponding detection algorithms are presented. The authors have performed experimentation using the ProM framework and Java programming, with five synthetic business cases, and found that the system can effectively identify anomalies of both operators and business activities that may be indicative of potential insider threat.

Download Full-text

A LSTM-Based Anomaly Detection Model for Log Analysis

Journal of Signal Processing Systems ◽

10.1007/s11265-021-01644-4 ◽

2021 ◽

Author(s):

Zhijun Zhao ◽

Chen Xu ◽

Bo Li

Keyword(s):

Anomaly Detection ◽

Large Scale ◽

Anomalous Behavior ◽

Human Beings ◽

Detection Model ◽

Detection Algorithms ◽

Feature Extracting ◽

Detection Approach ◽

Unsupervised Approach ◽

Malicious Behaviors

AbstractSecurity devices produce huge number of logs which are far beyond the processing speed of human beings. This paper introduces an unsupervised approach to detecting anomalous behavior in large scale security logs. We propose a novel feature extracting mechanism and could precisely characterize the features of malicious behaviors. We design a LSTM-based anomaly detection approach and could successfully identify attacks on two widely-used datasets. Our approach outperforms three popular anomaly detection algorithms, one-class SVM, GMM and Principal Components Analysis, in terms of accuracy and efficiency.

Download Full-text

A General and Expandable Insider Threat Detection System Using Baseline Anomaly Detection and Scenario-Driven Alarm Filters

2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE) ◽

10.1109/trustcom/bigdatase.2018.00110 ◽

2018 ◽

Cited By ~ 1

Author(s):

Guang Yang ◽

Lijun Cai ◽

Aimin Yu ◽

Dan Meng

Keyword(s):

Anomaly Detection ◽

Detection System ◽

Insider Threat ◽

Threat Detection

Download Full-text

Insider Threat Detection based on User behavior Model and Novelty Detection Algorithms

Journal of the Korean Institute of Industrial Engineers ◽

10.7232/jkiie.2017.43.4.276 ◽

2017 ◽

Vol 43 (4) ◽

pp. 276-287 ◽

Cited By ~ 1

Author(s):

Haedong Kim ◽

Junhong Kim ◽

Minsik Park ◽

Suhyoun Cho ◽

Pilsung Kang

Keyword(s):

User Behavior ◽

Novelty Detection ◽

Insider Threat ◽

Threat Detection ◽

Behavior Model ◽

Detection Algorithms

Download Full-text

Database Intrusion Detection Systems (DIDs): Insider Threat Detection via Behaviour-Based Anomaly Detection Systems - A Brief Survey of Concepts and Approaches

Communications in Computer and Information Science - Emerging Information Security and Applications ◽

10.1007/978-3-030-93956-4_11 ◽

2022 ◽

pp. 178-197

Author(s):

Muhammad Imran Khan ◽

Simon N. Foley ◽

Barry O’Sullivan

Keyword(s):

Intrusion Detection ◽

Anomaly Detection ◽

Intrusion Detection Systems ◽

Insider Threat ◽

Threat Detection ◽

Detection Systems ◽

Database Intrusion Detection

Download Full-text

EVOLVING INSIDER THREAT DETECTION STREAM MINING PERSPECTIVE

International Journal of Artificial Intelligence Tools ◽

10.1142/s0218213013600130 ◽

2013 ◽

Vol 22 (05) ◽

pp. 1360013 ◽

Cited By ~ 6

Author(s):

PALLABI PARVEEN ◽

NATHAN MCDANIEL ◽

ZACKARY WEGER ◽

JONATHAN EVANS ◽

BHAVANI THURAISINGHAM ◽

...

Keyword(s):

Anomaly Detection ◽

Unsupervised Learning ◽

Large Data ◽

Insider Threat ◽

Threat Detection ◽

Stream Mining ◽

Insider Threats ◽

System Logs ◽

The Cost ◽

Future Work

Evidence of malicious insider activity is often buried within large data streams, such as system logs accumulated over months or years. Ensemble-based stream mining leverages multiple classification models to achieve highly accurate anomaly detection in such streams, even when the stream is unbounded, evolving, and unlabeled. This makes the approach effective for identifying insider threats who attempt to conceal their activities by varying their behaviors over time. This paper applies ensemble-based stream mining, supervised and unsupervised learning, and graph-based anomaly detection to the problem of insider threat detection. It demonstrates that the ensemble-based approach is significantly more effective than traditional single-model methods, supervised learning outperforms unsupervised learning, and increasing the cost of false negatives correlates to higher accuracy. Future work will consider a wider range of tunable parameters in an effort to further reduce false positives, include a more sophisticated polling algorithm for weighting better models, and implement parallelization to lower runtimes to more rapidly detect emerging insider threats.

Download Full-text