scholarly journals Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms

2019 ◽  
Vol 9 (19) ◽  
pp. 4018 ◽  
Author(s):  
Kim ◽  
Park ◽  
Kim ◽  
Cho ◽  
Kang
Keyword(s):  
Anomaly Detection ◽  
User Behavior ◽  
Behavior Modeling ◽  
Detection Methods ◽  
Insider Threat ◽  
Threat Detection ◽  
Insider Threats ◽  
Domain Experts ◽  
User Behavior Modeling ◽  
Detection Algorithms

Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

An email content-based insider threat detection model using anomaly detection algorithms

2021 ◽  
Author(s):  
NaanKang Garba ◽  
Sandip Rakshit ◽  
Chai Dakun Maa ◽  
Narasimha Rao Vajjhala
Keyword(s):  
Anomaly Detection ◽  
Insider Threat ◽  
Threat Detection ◽  
Detection Model ◽  
Detection Algorithms

An Insider Threat Detection Method Based on Business Process Mining

2017 ◽  
Vol 13 (2) ◽  
pp. 83-98 ◽  
Author(s):  
Taiming Zhu ◽  
Yuanbo Guo ◽  
Ankang Ju ◽  
Jun Ma ◽  
Xuan Wang
Keyword(s):  
Business Process ◽  
Process Mining ◽  
Detection System ◽  
Detection Methods ◽  
Insider Threat ◽  
Threat Detection ◽  
Detection Algorithms ◽  
Business Cases ◽  
Business Process Mining ◽  
And Performance

Current intrusion detection systems are mostly for detecting external attacks, but the “Prism Door” and other similar events indicate that internal staff may bring greater harm to organizations in information security. Traditional insider threat detection methods only consider the audit records of personal behavior and failed to combine it with business activities, which may miss the insider threat happened during a business process. The authors consider operators' behavior and correctness and performance of the business activities, propose a business process mining based insider threat detection system. The system firstly establishes the normal profiles of business activities and the operators by mining the business log, and then detects specific anomalies by comparing the content of real-time log with the corresponding normal profile in order to find out the insiders and the threats they have brought. The relating anomalies are defined and the corresponding detection algorithms are presented. The authors have performed experimentation using the ProM framework and Java programming, with five synthetic business cases, and found that the system can effectively identify anomalies of both operators and business activities that may be indicative of potential insider threat.

Insider Threat Detection based on User behavior Model and Novelty Detection Algorithms

2017 ◽  
Vol 43 (4) ◽  
pp. 276-287 ◽  
Author(s):  
Haedong Kim ◽  
Junhong Kim ◽  
Minsik Park ◽  
Suhyoun Cho ◽  
Pilsung Kang
Keyword(s):  
User Behavior ◽  
Novelty Detection ◽  
Insider Threat ◽  
Threat Detection ◽  
Behavior Model ◽  
Detection Algorithms

EVOLVING INSIDER THREAT DETECTION STREAM MINING PERSPECTIVE

2013 ◽  
Vol 22 (05) ◽  
pp. 1360013 ◽  
Author(s):  
PALLABI PARVEEN ◽  
NATHAN MCDANIEL ◽  
ZACKARY WEGER ◽  
JONATHAN EVANS ◽  
BHAVANI THURAISINGHAM ◽  
...  
Keyword(s):  
Anomaly Detection ◽  
Unsupervised Learning ◽  
Large Data ◽  
Insider Threat ◽  
Threat Detection ◽  
Stream Mining ◽  
Insider Threats ◽  
System Logs ◽  
The Cost ◽  
Future Work

Evidence of malicious insider activity is often buried within large data streams, such as system logs accumulated over months or years. Ensemble-based stream mining leverages multiple classification models to achieve highly accurate anomaly detection in such streams, even when the stream is unbounded, evolving, and unlabeled. This makes the approach effective for identifying insider threats who attempt to conceal their activities by varying their behaviors over time. This paper applies ensemble-based stream mining, supervised and unsupervised learning, and graph-based anomaly detection to the problem of insider threat detection. It demonstrates that the ensemble-based approach is significantly more effective than traditional single-model methods, supervised learning outperforms unsupervised learning, and increasing the cost of false negatives correlates to higher accuracy. Future work will consider a wider range of tunable parameters in an effort to further reduce false positives, include a more sophisticated polling algorithm for weighting better models, and implement parallelization to lower runtimes to more rapidly detect emerging insider threats.

scholarly journals Detecting Insider Threat from Behavioral Logs Based on Ensemble and Self-Supervised Learning

2021 ◽  
Vol 2021 ◽  
pp. 1-11
Author(s):  
Chunrui Zhang ◽  
Shen Wang ◽  
Dechen Zhan ◽  
Tingyue Yu ◽  
Tiangang Wang ◽  
...  
Keyword(s):  
Machine Learning ◽  
Spatial Heterogeneity ◽  
Supervised Learning ◽  
Detection Method ◽  
Detection Methods ◽  
Insider Threat ◽  
Threat Detection ◽  
Insider Threats ◽  
Representation Method ◽  
Detection Effect

Recent studies have highlighted that insider threats are more destructive than external network threats. Despite many research studies on this, the spatial heterogeneity and sample imbalance of input features still limit the effectiveness of existing machine learning-based detection methods. To solve this problem, we proposed a supervised insider threat detection method based on ensemble learning and self-supervised learning. Moreover, we propose an entity representation method based on TF-IDF to improve the detection effect. Experimental results show that the proposed method can effectively detect malicious sessions in CERT4.2 and CERT6.2 datasets, where the AUCs are 99.2% and 95.3% in the best case.

scholarly journals Multivariate Anomaly Detection for Earth Observations: A Comparison of Algorithms and Feature Extraction Techniques

2016 ◽  
Author(s):  
Milan Flach ◽  
Fabian Gans ◽  
Alexander Brenning ◽  
Joachim Denzler ◽  
Markus Reichstein ◽  
...  
Keyword(s):  
Feature Extraction ◽  
Anomaly Detection ◽  
Data Streams ◽  
Multivariate Data ◽  
Detection Methods ◽  
Earth System ◽  
Earth System Science ◽  
System Science ◽  
Detection Algorithms ◽  
Earth Observations

Abstract. Today, many processes at the Earth's surface are constantly monitored by multiple data streams. These observations have become central to advance our understanding of e.g. vegetation dynamics in response to climate or land use change. Another set of important applications is monitoring effects of climatic extreme events, other disturbances such as fires, or abrupt land transitions. One important methodological question is how to reliably detect anomalies in an automated and generic way within multivariate data streams, which typically vary seasonally and are interconnected across variables. Although many algorithms have been proposed for detecting anomalies in multivariate data, only few have been investigated in the context of Earth system science applications. In this study, we systematically combine and compare feature extraction and anomaly detection algorithms for detecting anomalous events. Our aim is to identify suitable workflows for automatically detecting anomalous patterns in multivariate Earth system data streams. We rely on artificial data that mimic typical properties and anomalies in multivariate spatiotemporal Earth observations. This artificial experiment is needed as there is no 'gold standard' for the identification of anomalies in real Earth observations. Our results show that a well chosen feature extraction step (e.g. subtracting seasonal cycles, or dimensionality reduction) is more important than the choice of a particular anomaly detection algorithm. Nevertheless, we identify 3 detection algorithms (k-nearest neighbours mean distance, kernel density estimation, a recurrence approach) and their combinations (ensembles) that outperform other multivariate approaches as well as univariate extreme event detection methods. Our results therefore provide an effective workflow to automatically detect anomalies in Earth system science data.

Sign in / Sign up

Export Citation Format

Share Document