A new intelligent multilayer framework for insider threat detection

Abstract

In several earlier studies, machine learning (ML) has been widely used for building insider threat detection systems. However, the selection of the most appropriate ML classification model for insider threats detection remains a challenge. Despite the prominence of ML in the domain of insider threat detection, none of the previous works have utilized ML techniques for building a hybrid solution that can take advantage of the misuse and anomaly insider threat detection. In this study, a new multilayer framework has been proposed for insider threat detection. The first layer of the framework is used for selecting the best insider threat detection classification model among many based on the multi-criteria decision making techniques. The selection procedure has been developed based on the integration of the entropy-VIKOR methods. For the second layer, a hybrid insider threat detection method has been proposed, where the Misuse Insider Threat Detection (MITD) model has been created using the random forest algorithm. Subsequently, using the K-Nearest Neighbors algorithm, an anomaly insider threat detection algorithm has been developed. The proposed multilayer framework for insider threat detection has been evaluated by using the CERT r4.2 dataset. Results of the experiment demonstrate that the validity of the results produced by the selection framework is proven by the validation procedure obtained from previous research. The proposed hybrid detection method is observed to exhibit an overall accuracy of 99% and a false positive rate of 0.29% for known insider threats, whereas it exhibits 97% accuracy and 2.88% false-positive rate for unknown insider threats.