An Insider Threat Detection Method Based on User Behavior Analysis

Insider threat has always been an important hidden danger of information system security, and the detection of insider threat is the main concern of information system organizers. Before the anomaly detection, the process of feature extraction often causes a part of information loss, and the detection of insider threats in a single time point often causes false positives. Therefore, this paper proposes a user behavior analysis model, by aggregating user behavior in a period of time, comprehensively characterizing user attributes, and then detecting internal attacks. Firstly, the user behavior characteristics are extracted from the multi-domain features extracted from the audit log, and then the XGBoost algorithm is used to train. The experimental results on a user behavior dataset show that the XGBoost algorithm can be used to identify the insider threats. The value of F-measure is up to 99.96% which is better than SVM and random forest algorithm.

[1]  Lawrence B. Holder,et al.  Insider Threat Detection Using a Graph-Based Approach , 2010 .

[2]  Serdar Boztas,et al.  Insider Threat Detection Through Attributed Graph Clustering , 2018, 2017 IEEE Trustcom/BigDataSE/ICESS.

[3]  Helen Ashman,et al.  Anomaly Detection over User Profiles for Intrusion Detection , 2010 .

[4]  Jason R. C. Nurse,et al.  A New Take on Detecting Insider Threats: Exploring the Use of Hidden Markov Models , 2016, MIST@CCS.

[5]  Mikhail Budko,et al.  Network anomaly detection using artificial neural networks , 2017, 2017 20th Conference of Open Innovations Association (FRUCT).

[6]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[7]  Oliver Brdiczka,et al.  Multi-Domain Information Fusion for Insider Threat Detection , 2013, 2013 IEEE Security and Privacy Workshops.

[8]  Malek Ben Salem,et al.  Designing Host and Network Sensors to Mitigate the Insider Threat , 2009, IEEE Security & Privacy.

[9]  Robert F. Mills,et al.  Towards insider threat detection using web server logs , 2009, CSIIRW '09.

[10]  Luis A. Trejo,et al.  The Windows-Users and -Intruder simulations Logs dataset (WUIL): An experimental framework for masquerade detection mechanisms , 2014, Expert Syst. Appl..

[11]  Lilian Mitrou,et al.  Can We Trust This User? Predicting Insider's Attitude via YouTube Usage Profiling , 2013, 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 2013 IEEE 10th International Conference on Autonomic and Trusted Computing.