Insider Threat Detection Based on Deep Belief Network Feature Representation

Insider threat is a significant security risk for information system, and detection of insider threat is a major concern for information system organizers. Recently existing work mainly focused on the single pattern analysis of user single-domain behavior, which were not suitable for user behavior pattern analysis in multi-domain scenarios. However, the fusion of multi-domain irrelevant features may hide the existence of anomalies. Previous feature learning methods have relatively a large proportion of information loss in feature extraction. Therefore, this paper proposes a hybrid model based on the deep belief network (DBN) to detect insider threat. First, an unsupervised DBN is used to extract hidden features from the multi-domain feature extracted by the audit logs. Secondly, a One-Class SVM (OCSVM) is trained from the features learned by the DBN. The experimental results on the CERT dataset demonstrate that the DBN can be used to identify the insider threat events and it provides a new idea to feature processing for the insider threat detection.

[1]  Geoffrey E. Hinton,et al.  A Learning Algorithm for Boltzmann Machines , 1985, Cogn. Sci..

[2]  Geoffrey E. Hinton A Practical Guide to Training Restricted Boltzmann Machines , 2012, Neural Networks: Tricks of the Trade.

[3]  Nicolas Le Roux,et al.  Representational Power of Restricted Boltzmann Machines and Deep Belief Networks , 2008, Neural Computation.

[4]  Razvan Pascanu,et al.  Learning Algorithms for the Classification Restricted Boltzmann Machine , 2012, J. Mach. Learn. Res..

[5]  Marcus A. Maloof,et al.  elicit: A System for Detecting Insiders Who Violate Need-to-Know , 2007, RAID.

[6]  Oliver Brdiczka,et al.  Multi-Domain Information Fusion for Insider Threat Detection , 2013, 2013 IEEE Security and Privacy Workshops.

[7]  Yee Whye Teh,et al.  A Fast Learning Algorithm for Deep Belief Nets , 2006, Neural Computation.

[8]  Elisa Bertino,et al.  Detecting anomalous access patterns in relational databases , 2008, The VLDB Journal.

[9]  Haining Wang,et al.  An efficient user verification system via mouse movements , 2011, CCS '11.

[10]  Roy A. Maxion,et al.  Masquerade detection using truncated command lines , 2002, Proceedings International Conference on Dependable Systems and Networks.

[11]  Salim Hariri,et al.  DDSGA: A Data-Driven Semi-Global Alignment Approach for Detecting Masquerade Attacks , 2015, IEEE Transactions on Dependable and Secure Computing.

[12]  Christopher Leckie,et al.  High-dimensional and large-scale anomaly detection using a linear one-class SVM with deep learning , 2016, Pattern Recognit..

[13]  Sadie Creese,et al.  Automated Insider Threat Detection System Using User and Role-Based Profile Assessment , 2017, IEEE Systems Journal.