An email content-based insider threat detection model using anomaly detection algorithms

Abstract

Insider threats significantly impact businesses as well as governments and military organizations. The focus of threats has shifted from external attack to within organizations where authorized users have become potential insider threats. Existing insider threats detection methods, such as the rule-based approach rely on expert knowledge making it not robust. An insider threat detection method is proposed based on email user behaviour and anomaly detection algorithms to overcome this limitation. An email content based on the IT administrator role is constructed from the CERT r6.2 dataset using natural language pre-processing modules. Topic modelling is performed on the dataset to generate a vector space, which serves as input to anomaly detection algorithms to detect malicious email contents. The experimental results demonstrate that the proposed model has an 89% detection rate over the baseline model. A combination of K-means and PCA anomaly detection algorithms yielded a good detection rate of 89% for 1%, 5%, 10%, 15%, 20%, 25%, and 30% cut-off values anomaly scores.