Insider Threat Detection Based on User Behaviour Analysis

Abstract

Insider threat detection is a major challenge for security in organizations. They are the employees/users of an organization, posing threat to it by performing any malicious activity. Existing methods to detect insider threats are based on psycho-physiological factors, statistical analysis, machine learning and deep learning methods. They are based on predefined rules or stored signatures and fail to detect new or unknown attacks. To overcome some of the limitations of the existing methods, we propose behaviour based insider threat detection method. The behaviour is characterized by user activity (such as logon-logoff, device connect-disconnect, file-access, http-url-requests, email activity). Isometric Feature Mapping (ISOMAP) is used for feature extraction and Emperor Penguin Algorithm is used for optimal feature selection. The features include time based features (time at which a particular activity is performed) and frequency based features (number of times a particular activity is performed). Finally, a Multi-fuzzy-classifier is used with three inference engines F1, F2, F3, to classify users as normal or malicious. The proposed method is tested using CMU-CERT insider threat dataset for its performance. The proposed method outperforms on the following metrics: accuracy, precision, recall, f-measure, and AUC-ROC parameters. The insider threat detection results show a significant improvement over existing methods.