Enhancing false negative and positive rates for efficient insider threat detection

Abstract

Insider threats on information security can become a burden for organizations. However, outsider attacks have received more attention compared to insider attacks. Many researchers studied insider threats and proposed various approaches (such as signature based, machine learning based, and deep learning based) to alleviate this type of threats. In this work, we present a novel insider threat detection system based on a deep learning network of Long Short Term Memory (LSTM). The developed detection system aims to analyze and mitigate the negative effect of insiders by differentiating benign activities from malicious ones. The detection system utilizes sentiment analysis to classify the users’ activities and gray encoding to maintain temporal behavior between activities (especially correlated activities). This allows us to reform a dataset in which each row represents a variable length sample to train a deep learning based detection system. Different data representations, such as binary encoding (BE), real-valued data, without encoding (WE), were used to test the effectiveness of gray encoding in maintaining the temporal relationships between activities. The proposed detection techniques were evaluated using log files from CERT r4.2 insiders’ dataset that represent activities of employees for eighteen working months. The evaluation results have shown enhanced false positive of 0.29%, false negative of 2.47% and an AUC value of 97%.