MWCapsNet: A novel Multi-level Wavelet Capsule Network for insider threat detection using image representations

Abstract

The detection of insider threats is a significant challenge for many organizations due to the complexities of the data, the potential for changes in user behavior, and limited ground truth. Current techniques for detecting insider threats, including balancing datasets, anomaly detection, and image classification, have challenges such as lower precision and a high False Positive Rate (FPR). This is due to complex and heterogeneous data and the disregard of the spatial arrangement and relationships between features in image classification techniques that are essential to understanding the detailed behavior pattern of a user. To address these issues, a novel image-based insider threat detection framework is proposed, which integrates Multi-level Wavelet decomposition into a Capsule Network (MWCapsNet). The image generator for tabular data (IGTD) framework is used to generate image representations by identifying the correlation between the features which depict user behavior. The multi-level wavelet decomposition helps extract spectral and spatial features, whereas the capsule network captures contextual relationships between features from the generated image representations. Thus, improving the accuracy and precision of the MWCapsNet model with much lower false alarms. The proposed MWCapsNet model outperforms existing state-of-the-art techniques, achieving 98.88% accuracy and 99.21% precision with a lower rate of false positives when evaluated using the CERT insider threat datasets.