Deep Learning for Insider Threat Detection: Review, Challenges and Opportunities

Insider threats, as one type of the most challenging threats in cyberspace, usually cause significant loss to organizations. While the problem of insider threat detection has been studied for a long time in both security and data mining communities, the traditional machine learning based detection approaches, which heavily rely on feature engineering, are hard to accurately capture the behavior difference between insiders and normal users due to various challenges related to the characteristics of underlying data, such as high-dimensionality, complexity, heterogeneity, sparsity, lack of labeled insider threats, and the subtle and adaptive nature of insider threats. Advanced deep learning techniques provide a new paradigm to learn end-to-end models from complex data. In this brief survey, we first introduce one commonly-used dataset for insider threat detection and review the recent literature about deep learning for such research. The existing studies show that compared with traditional machine learning algorithms, deep learning models can improve the performance of insider threat detection. However, applying deep learning to further advance the insider threat detection task still faces several limitations, such as lack of labeled data, adaptive attacks. We then discuss such challenges and suggest future research directions that have the potential to address challenges and further boost the performance of deep learning for insider threat detection.

[1]  A Survey on Bayesian Deep Learning , 2020, ACM Comput. Surv..

[2]  Wenwu Zhu,et al.  Deep Learning on Graphs: A Survey , 2018, IEEE Transactions on Knowledge and Data Engineering.

[3]  Malek Ben Salem,et al.  Modeling User Search Behavior for Masquerade Detection , 2011, RAID.

[4]  Ping Wang,et al.  Machine Learning for Survival Analysis , 2019, ACM Comput. Surv..

[5]  Li Sun,et al.  Graph Based Framework for Malicious Insider Threat Detection , 2018, HICSS.

[6]  Alex Graves,et al.  Generating Sequences With Recurrent Neural Networks , 2013, ArXiv.

[7]  Qinghua Li,et al.  Insider Threat Detection via Hierarchical Neural Temporal Point Processes , 2019, 2019 IEEE International Conference on Big Data (Big Data).

[8]  Jian Sun,et al.  Deep Residual Learning for Image Recognition , 2015, 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR).

[9]  Jun Li,et al.  One-Class Adversarial Nets for Fraud Detection , 2018, AAAI.

[10]  Nitesh V. Chawla,et al.  MiST: A Multiview and Multimodal Spatial-Temporal Learning Framework for Citywide Abnormal Event Forecasting , 2019, WWW.

[11]  Joshua Glasser,et al.  Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.

[12]  L. Jean Camp,et al.  Insider Threat Event Detection in User-System Interactions , 2017, MIST@CCS.

[13]  Eric P. Xing,et al.  Nonparametric Variational Auto-Encoders for Hierarchical Representation Learning , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[14]  Yoshua Bengio,et al.  Learning long-term dependencies with gradient descent is difficult , 1994, IEEE Trans. Neural Networks.

[15]  Raymond K. Wong,et al.  Insider Threat Detection with Long Short-Term Memory , 2019, ACSW.

[16]  Shari Lawrence Pfleeger,et al.  Insiders Behaving Badly: Addressing Bad Actors and Their Actions , 2010, IEEE Transactions on Information Forensics and Security.

[17]  Jason R. C. Nurse,et al.  A New Take on Detecting Insider Threats: Exploring the Use of Hidden Markov Models , 2016, MIST@CCS.

[18]  Oliver Brdiczka,et al.  Multi-Domain Information Fusion for Insider Threat Detection , 2013, 2013 IEEE Security and Privacy Workshops.

[19]  Le Song,et al.  Learning Conditional Generative Models for Temporal Point Processes , 2018, AAAI.

[20]  Mei-Ling Shyu,et al.  A Survey on Deep Learning , 2018, ACM Comput. Surv..

[21]  Yoshua Bengio,et al.  Deep Learning of Representations: Looking Forward , 2013, SLSP.

[22]  Ratna Babu Chinnam,et al.  Survival Analysis based Framework for Early Prediction of Student Dropouts , 2016, CIKM.

[23]  Athul Harilal,et al.  TWOS: A Dataset of Malicious Insider Threat Behavior Based on a Gamified Competition , 2017, MIST@CCS.

[24]  Christoph Molnar,et al.  Interpretable Machine Learning , 2020 .

[25]  Lukasz Kaiser,et al.  Attention is All you Need , 2017, NIPS.

[26]  Ram Dantu,et al.  Towards Insider Threat Detection Using Psychophysiological Signals , 2015, MIST@CCS.

[27]  James T. Kwok,et al.  Generalizing from a Few Examples , 2019, ACM Comput. Surv..

[28]  Yoshua Bengio,et al.  Extracting and composing robust features with denoising autoencoders , 2008, ICML '08.

[29]  Steven Skiena,et al.  A Tutorial on Network Embeddings , 2018, ArXiv.

[30]  Toby P. Breckon,et al.  GANomaly: Semi-Supervised Anomaly Detection via Adversarial Training , 2018, ACCV.

[31]  Geoffrey E. Hinton,et al.  ImageNet classification with deep convolutional neural networks , 2012, Commun. ACM.

[32]  Yanbing Liu,et al.  Insider Threat Detection with Deep Neural Network , 2018, ICCS.

[33]  Jakob Gulddahl Rasmussen,et al.  Lecture Notes: Temporal Point Processes and the Conditional Intensity Function , 2018, 1806.00221.

[34]  Sanjay Chawla,et al.  Deep Learning for Anomaly Detection: A Survey , 2019, ArXiv.

[35]  Geoffrey E. Hinton,et al.  Deep Boltzmann Machines , 2009, AISTATS.

[36]  Nguyen Lu Dang Khoa,et al.  Robust Deep Learning Methods for Anomaly Detection , 2020, KDD.

[37]  Yuval Elovici,et al.  Adversarial Attacks on Remote User Authentication Using Behavioural Mouse Dynamics , 2019, 2019 International Joint Conference on Neural Networks (IJCNN).

[38]  Ying Li,et al.  Early Prediction of Diabetes Complications from Electronic Health Records: A Multi-Task Survival Analysis Approach , 2018, AAAI.

[39]  Allan Jabri,et al.  Learning Correspondence From the Cycle-Consistency of Time , 2019, 2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR).

[40]  Jun Zhang,et al.  Detecting and Preventing Cyber Insider Threats: A Survey , 2018, IEEE Communications Surveys & Tutorials.

[41]  Eric T. Nalisnick,et al.  Deep Generative Models with Stick-Breaking Priors , 2016 .

[42]  Andy Brown,et al.  Recurrent Neural Network Attention Mechanisms for Interpretable System Log Anomaly Detection , 2018, Proceedings of the First Workshop on Machine Learning for Computing Systems.

[43]  Carlos Guestrin,et al.  Anchors: High-Precision Model-Agnostic Explanations , 2018, AAAI.

[44]  Marco Cote STICK-BREAKING VARIATIONAL AUTOENCODERS , 2017 .

[45]  Min-hwan Oh,et al.  Sequential Anomaly Detection using Inverse Reinforcement Learning , 2019, KDD.

[46]  Philip S. Yu,et al.  A Comprehensive Survey on Graph Neural Networks , 2019, IEEE Transactions on Neural Networks and Learning Systems.

[47]  Utkarsh Upadhyay,et al.  Recurrent Marked Temporal Point Processes: Embedding Event History to Vector , 2016, KDD.

[48]  Andrew Y. Ng,et al.  Pharmacokinetics of a novel formulation of ivermectin after administration to goats , 2000, ICML.

[49]  Khalil El-Khatib,et al.  On the Possibility of Insider Threat Detection Using Physiological Signal Monitoring , 2014, SIN.

[50]  Duc C. Le,et al.  Evaluating Insider Threat Detection Workflow Using Supervised and Unsupervised Learning , 2018, 2018 IEEE Security and Privacy Workshops (SPW).

[51]  John W. Paisley,et al.  Deep Bayesian Nonparametric Tracking , 2018, ICML.

[52]  Lior Rokach,et al.  A Survey of Data Leakage Detection and Prevention Solutions , 2012, SpringerBriefs in Computer Science.

[53]  Yang Yu,et al.  Role-based Log Analysis Applying Deep Learning for Insider Threat Detection , 2018 .

[54]  Frank L. Lars J. Christine F. Christopher R. Thomas Greitzer,et al.  Psychosocial Modeling of Insider Threat Risk Based on Behavioral and Word Use Analysis , 2013 .

[55]  Yee Whye Teh,et al.  A Fast Learning Algorithm for Deep Belief Nets , 2006, Neural Computation.

[56]  Yoshua Bengio,et al.  Gated Feedback Recurrent Neural Networks , 2015, ICML.

[57]  Jun Zhang,et al.  Anomaly-Based Insider Threat Detection Using Deep Autoencoders , 2018, 2018 IEEE International Conference on Data Mining Workshops (ICDMW).

[58]  Kaizhi Chen,et al.  Insider Threat Detection Based on Deep Belief Network Feature Representation , 2017, 2017 International Conference on Green Informatics (ICGI).

[59]  Z. Hasan A Survey on Shari’Ah Governance Practices in Malaysia, GCC Countries and the UK , 2011 .

[60]  Wei Sun,et al.  Robust Anomaly Detection for Multivariate Time Series through Stochastic Recurrent Neural Network , 2019, KDD.

[61]  Mudita Singhal,et al.  Supervised and Unsupervised methods to detect Insider Threat from Enterprise Social and Online Activity Data , 2015, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[62]  John William Paisley,et al.  Machine Learning with Dirichlet and Beta Process Priors: Theory and Applications , 2010 .

[63]  Chao Liu,et al.  Anomaly Detection with Graph Convolutional Networks for Insider Threat and Fraud Detection , 2019, MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM).

[64]  Lawrence Carin,et al.  Adversarial Time-to-Event Modeling , 2018, ICML.

[65]  Shuai Wang,et al.  Deep learning for sentiment analysis: A survey , 2018, WIREs Data Mining Knowl. Discov..

[66]  Matthew L Collins,et al.  Insider Threat Indicator Ontology , 2016 .

[67]  Yuval Elovici,et al.  Insight Into Insiders and IT , 2018, ACM Comput. Surv..

[68]  Marcin Andrychowicz,et al.  One-Shot Imitation Learning , 2017, NIPS.

[69]  Zeb Kurth-Nelson,et al.  Learning to reinforcement learn , 2016, CogSci.

[70]  Raghavendra Chalapathy University of Sydney,et al.  Deep Learning for Anomaly Detection: A Survey , 2019, ArXiv.

[71]  Roy A. Maxion,et al.  Masquerade detection using enriched command lines , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[72]  Aidong Men,et al.  A Hybrid Semi-Supervised Anomaly Detection Model for High-Dimensional Data , 2017, Comput. Intell. Neurosci..

[73]  Huamin Qu,et al.  Interpretable and Steerable Sequence Learning via Prototypes , 2019, KDD.

[74]  Vallipuram Muthukkumarasamy,et al.  A survey on data leakage prevention systems , 2016, J. Netw. Comput. Appl..

[75]  Lian Zhou,et al.  A Hierarchical Multimodal Attention-based Neural Network for Image Captioning , 2017, SIGIR.

[76]  Andrew Zisserman,et al.  Look, Listen and Learn , 2017, 2017 IEEE International Conference on Computer Vision (ICCV).

[77]  Massimo Piccardi,et al.  An Investigation of Recurrent Neural Architectures for Drug Name Recognition , 2016, Louhi@EMNLP.

[78]  Malek Ben Salem,et al.  A Survey of Insider Attack Detection Research , 2008, Insider Attack and Cyber Security.

[79]  Matt J. Kusner,et al.  A Survey on Contextual Embeddings , 2020, ArXiv.

[80]  Chunyan Miao,et al.  A Survey of Zero-Shot Learning , 2019, ACM Trans. Intell. Syst. Technol..

[81]  Thomas G. Dietterich,et al.  Deep Anomaly Detection with Outlier Exposure , 2018, ICLR.

[82]  Le Song,et al.  Learning Temporal Point Processes via Reinforcement Learning , 2018, NeurIPS.

[83]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[84]  Yu Wen,et al.  Log2vec: A Heterogeneous Graph Embedding Based Approach for Detecting Cyber Threats within Enterprise , 2019, CCS.

[85]  Alexander J. Smola,et al.  Neural Survival Recommender , 2017, WSDM.

[86]  Brian Hutchinson,et al.  Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams , 2017, AAAI Workshops.

[87]  Geoffrey E. Hinton,et al.  Deep Learning , 2015, Nature.

[88]  Pietro Perona,et al.  One-shot learning of object categories , 2006, IEEE Transactions on Pattern Analysis and Machine Intelligence.

[89]  Marc Peter Deisenroth,et al.  Deep Reinforcement Learning: A Brief Survey , 2017, IEEE Signal Processing Magazine.

[90]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[91]  A. Karr,et al.  Computer Intrusion: Detecting Masquerades , 2001 .

[92]  Xiaosong Zhang,et al.  An Insider Threat Detection Approach Based on Mouse Dynamics and Deep Learning , 2019, Secur. Commun. Networks.

[93]  Dipankar Dasgupta,et al.  Classification of Insider Threat Detection Techniques , 2016, CISRC.

[94]  Massimo Piccardi,et al.  Bidirectional LSTM-CRF for Clinical Concept Extraction , 2016, ClinicalNLP@COLING 2016.

[95]  Yoshua Bengio,et al.  Deep Learning for Patient-Specific Kidney Graft Survival Analysis , 2017, ArXiv.

[96]  Ah Chung Tsoi,et al.  The Graph Neural Network Model , 2009, IEEE Transactions on Neural Networks.

[97]  Brian Kingsbury,et al.  New types of deep neural network learning for speech recognition and related applications: an overview , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.