Abstract
Insider threat detection is challenging due to the wide variety of possible attacks and the limited availability of real threat data for testing. Most previous anomaly detection studies have relied on synthetic threat data, such as the CERT insider threat dataset. However, several previous studies have used models that arguably introduce bias, such as the selective use of metrics, and reusing the same dataset with the prior knowledge of the answer labels. In this paper, we create and test a host of models following some guidelines of good conduct to produce what we believe to be a more objective comparison of these models. Our results indicate that majority voting ensembles are a simple and cost-effective way of boosting the quality of results from individual machine learning models, both on the CERT data and on a version augmented with additional attacks. We include a comparison of models with their hyperparameters optimized for different target metrics.
Supported by The Datalab, https://www.thedatalab.com/.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Agrafiotis, I., Nurse, J.R., et al.: Identifying attack patterns for insider threat detection. Comput. Fraud Secur. 2015(7), 9–17 (2015)
Cappelli, D., Moore, A., Trzeciak, R.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes. Addison-Wesley Professional, Boston (2012)
Dahmane, M., Foucher, S.: Combating insider threats by user profiling from activity logging data. In: ICDIS, pp. 194–199 (2018)
Emmott, A., Das, S., Dietterich, T., Fern, A., Wong, W.K.: A meta-analysis of the anomaly detection problem, March 2015. https://arxiv.org/abs/1503.01158
Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: Proceedings - IEEE CS Security and Privacy (2013)
Haidar, D., Gaber, M.M.: Adaptive one-class ensemble-based anomaly detection: an application to insider threats. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–9 (2018)
IBM: Cost of Insider Threats—ObserveIT (2020). https://www.observeit.com/cost-of-insider-threats/
Kim, J., Park, M., Kim, H., Cho, S., Kang, P.: Insider threat detection based on user behavior modeling and anomaly detection algorithms. Appl. Sci. (Switz.) 9(19), 4018 (2019)
Le, D.C., Zincir-Heywood, A.N.: Evaluating insider threat detection workflow using supervised and unsupervised learning. In: 2018 IEEE Security and Privacy Workshops (SPW), pp. 270–275 (2018)
Le, D.C., Zincir-Heywood, N.: Exploring anomalous behaviour detection and classification for insider threat identification. Int. J. Netw. Manag. (July 2019), 1–19 (2020). https://doi.org/10.1002/nem.2109
Legg, P.A., Buckley, O., Goldsmith, M., Creese, S.: Automated insider threat detection system using user and role-based profile assessment. IEEE Syst. J. 11(2), 503–512 (2017)
Lo, O., Buchanan, W.J., Griffiths, P., Macfarlane, R.: Distance measurement methods for improved insider threat detection. Secur. Commun. Netw. 2018(January) (2018). https://doi.org/10.1155/2018/5906368
Parveen, P., Weger, Z.R., Thuraisingham, B., Hamlen, K., Khan, L.: Supervised learning for insider threat detection using stream mining. In: 2011 IEEE 23rd International Conference on Tools with Artificial Intelligence, pp. 1032–1039 (2011)
Rashid, T., Agrafiotis, I., Nurse, J.R.: A New Take on Detecting Insider Threats, pp. 47–56 (2016)
Ruttenberg, B., et al.: Probabilistic modeling of insider threat detection systems. In: Liu, P., Mauw, S., Stølen, K. (eds.) GraMSec 2017. LNCS, vol. 10744, pp. 91–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-74860-3_6
Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams, October 2017. http://arxiv.org/abs/1710.00811
Varoquaux, G., Buitinck, L., Louppe, G., et al.: Scikit-learn: machine learning in Python. GetMobile: Mobile Comput. Commun. 19(1), 29–33 (2015)
Yuan, F., Cao, Y., Shang, Y., Liu, Y., Tan, J., Fang, B.: Insider threat detection with deep neural network. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10860, pp. 43–54. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93698-7_4
Yuan, F., Shang, Y., Liu, Y., Cao, Y., Tan, J.: Attention-based LSTM for insider threat detection. In: Shankar Sriram, V.S., Subramaniyaswamy, V., Sasikaladevi, N., Zhang, L., Batten, L., Li, G. (eds.) ATIS 2019. CCIS, vol. 1116, pp. 192–201. Springer, Singapore (2019). https://doi.org/10.1007/978-981-15-0871-4_15
Zhang, H., Agrafiotis, I., Erola, A., Creese, S., Goldsmith, M.: A state machine system for insider threat detection. In: Cybenko, G., Pym, D., Fila, B. (eds.) GraMSec 2018. LNCS, vol. 11086, pp. 111–129. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-15465-3_7
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bartoszewski, F.W., Just, M., Lones, M.A., Mandrychenko, O. (2021). Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_24
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)
