Unusual Insider Behavior Detection Framework on Enterprise Resource Planning Systems Using Adversarial Recurrent Autoencoder

Abstract

Detecting unusual behaviors of insiders on enterprise resource planning (ERP) systems is one of the essential parts to reduce the risks of threatening and abusing enterprise resources by insiders. Many approaches to detect the behaviors based on rule-based systems and stochastic processes are currently limited to empirical monitoring using manually established algorithms or probabilistic boundaries. Those approaches need prior knowledge such as user permission guideline and process data characteristics. Unfortunately, obtaining prior knowledge is hard in practice, and these are not appropriate to detect atypical unusual behavior which can not be clearly defined using heuristic rules. Therefore, in this article, we propose a novel framework for unusual insider behavior detection (UIBD) for ERP systems. The proposed framework initially derives a discriminative model for normal behavior samples, and UIBD is conducted by computing an error using the model. Since the model is compiled using normal samples only, the error of unusual samples would be larger than normal ones. To derive a robust normal behavior model, we present adversarial recurrent autoencoder (ARAE). To demonstrate the efficiency of the proposed framework based on ARAE, we conduct experiments using a dataset composed of insider behaviors defined by sequences of security audit logs of ERP systems operating in real-world enterprises. The experimental results show that the proposed framework with ARAE can successfully detect unusual insider behaviors and outperform other methods to detect unusual insider behavior or threatening.