Towards an Explainable Approach for Insider Threat Detection: Constraint Network Learning

Insider threats are considered a major threat to information and communication technology (ICT) systems creating an important source of vulnerabilities from a security perspective. The technical knowledge that insiders have about the ICT systems, such as its IT infrastructure, the high load of data generated by other employees of the company which hides insiders' activities, their access rights as well as the confidentiality of the data of which they have access to, creates the perfect scenario for a powerful yet undetected attack. State of the art techniques and security operations center tools struggle to come up with effective solutions to recognise these threats. Therefore, in this paper, we propose a novel artificial intelligence based constraint learning technique to help their detection. The approach creates an optimized constraint network representing the nominal behaviour of an employee and detects threatening events when their associated costs are above a certain threshold. The threshold is learnt alongside with the constraint network model. The proposed approach is based on detection models able to provide human interpretable feedback regarding the detection performed. These information are crucial in helping system operators to understand why the detection has occurred and to help them acting promptly on the threat. The explanation comes directly from the structure of the detection model and relies on the identification of which constraints are being violated. The approach is tested on the CERT insider threat dataset v4.2 and the results obtained look promising, achieving at least the same accuracy as other state of the art techniques as well as providing the details regarding the broken constraints of the threat. A comparison with state of the art techniques applied on this dataset is also provided, showing the strength of our results.

[1]  J. M. Digman PERSONALITY STRUCTURE: EMERGENCE OF THE FIVE-FACTOR MODEL , 1990 .

[2]  Kaizhi Chen,et al.  Insider Threat Detection Based on Deep Belief Network Feature Representation , 2017, 2017 International Conference on Green Informatics (ICGI).

[3]  Satyanarayana Vuppala,et al.  Learning Constraint-Based Model for Detecting Malicious Activities in Cyber Physical Systems , 2019, 2019 IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computing, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI).

[4]  J. S. Wiggins,et al.  Extension of the Interpersonal Adjective Scales to include the Big Five dimensions of personality. , 1990 .

[5]  Xintao Wu,et al.  Deep Learning for Insider Threat Detection: Review, Challenges and Opportunities , 2020, Comput. Secur..

[6]  Qiang Yang,et al.  A Survey on Transfer Learning , 2010, IEEE Transactions on Knowledge and Data Engineering.

[7]  Brian Hutchinson,et al.  Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams , 2017, AAAI Workshops.

[8]  Jun Zhang,et al.  Anomaly-Based Insider Threat Detection Using Deep Autoencoders , 2018, 2018 IEEE International Conference on Data Mining Workshops (ICDMW).

[9]  Sherali Zeadally,et al.  Detecting Insider Threats: Solutions and Trends , 2012, Inf. Secur. J. A Glob. Perspect..

[10]  Yanbing Liu,et al.  Insider Threat Detection with Deep Neural Network , 2018, ICCS.

[11]  Constantin F. Aliferis,et al.  The max-min hill-climbing Bayesian network structure learning algorithm , 2006, Machine Learning.

[12]  David Noever,et al.  Classifier Suites for Insider Threat Detection , 2019, ArXiv.

[13]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[14]  Yong Xiang,et al.  Image-Based Feature Representation for Insider Threat Classification , 2019, ArXiv.

[15]  P. Costa,et al.  The structure of interpersonal traits: Wiggins's circumplex and the five-factor model. , 1989, Journal of personality and social psychology.

[16]  Christos Faloutsos,et al.  Beyond Outlier Detection: LookOut for Pictorial Explanation , 2018, ECML/PKDD.

[17]  Yap-Peng Tan,et al.  Scenario-Based Insider Threat Detection From Cyber Activities , 2018, IEEE Transactions on Computational Social Systems.

[18]  Joshua Glasser,et al.  Bridging the Gap: A Pragmatic Approach to Generating Insider Threat Data , 2013, 2013 IEEE Security and Privacy Workshops.