Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

LAN: Learning Adaptive Neighbors for Real-Time Insider Threat Detection (2403.09209v2)

Published 14 Mar 2024 in cs.CR, cs.AI, and cs.LG

Abstract: Enterprises and organizations are faced with potential threats from insider employees that may lead to serious consequences. Previous studies on insider threat detection (ITD) mainly focus on detecting abnormal users or abnormal time periods (e.g., a week or a day). However, a user may have hundreds of thousands of activities in the log, and even within a day there may exist thousands of activities for a user, requiring a high investigation budget to verify abnormal users or activities given the detection results. On the other hand, existing works are mainly post-hoc methods rather than real-time detection, which can not report insider threats in time before they cause loss. In this paper, we conduct the first study towards real-time ITD at activity level, and present a fine-grained and efficient framework LAN. Specifically, LAN simultaneously learns the temporal dependencies within an activity sequence and the relationships between activities across sequences with graph structure learning. Moreover, to mitigate the data imbalance problem in ITD, we propose a novel hybrid prediction loss, which integrates self-supervision signals from normal activities and supervision signals from abnormal activities into a unified loss for anomaly detection. We evaluate the performance of LAN on two widely used datasets, i.e., CERT r4.2 and CERT r5.2. Extensive and comparative experiments demonstrate the superiority of LAN, outperforming 9 state-of-the-art baselines by at least 9.92% and 6.35% in AUC for real-time ITD on CERT r4.2 and r5.2, respectively. Moreover, LAN can be also applied to post-hoc ITD, surpassing 8 competitive baselines by at least 7.70% and 4.03% in AUC on two datasets. Finally, the ablation study, parameter analysis, and compatibility analysis evaluate the impact of each module and hyper-parameter in LAN. The source code can be obtained from https://github.com/Li1Neo/LAN.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (57)
  1. G. J. Silowash, D. M. Cappelli, A. P. Moore, R. F. Trzeciak, T. Shimeall, and L. Flynn, “Common sense guide to mitigating insider threats,” 2012.
  2. D. L. Costa, M. J. Albrethsen, and M. L. Collins, “Insider threat indicator ontology,” Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States, Tech. Rep., 2016.
  3. Proofpoint, “2022 cost of insider threat global report,” Ponemon, Tech. Rep., 2022.
  4. D. C. Le, N. Zincir-Heywood, and M. I. Heywood, “Analyzing data granularity levels for insider threat detection using machine learning,” IEEE Transactions on Network and Service Management, vol. 17, no. 1, pp. 30–44, 2020.
  5. L.-P. Yuan, E. Choo, T. Yu, I. Khalil, and S. Zhu, “Time-window based group-behavior supported method for accurate detection of anomalous users,” in 2021 51st Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).   IEEE, 2021, pp. 250–262.
  6. A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols, and S. Robinson, “Deep learning for unsupervised insider threat detection in structured cybersecurity data streams,” arXiv preprint arXiv:1710.00811, 2017.
  7. S. Yuan, P. Zheng, X. Wu, and Q. Li, “Insider threat detection via hierarchical neural temporal point processes,” in 2019 IEEE International Conference on Big Data (Big Data).   IEEE, 2019, pp. 1343–1350.
  8. M. Vinay, S. Yuan, and X. Wu, “Contrastive learning for insider threat detection,” in International Conference on Database Systems for Advanced Applications.   Springer, 2022, pp. 395–403.
  9. J. Jiang, J. Chen, T. Gu, K.-K. R. Choo, C. Liu, M. Yu, W. Huang, and P. Mohapatra, “Anomaly detection with graph convolutional networks for insider threat and fraud detection,” in MILCOM 2019-2019 IEEE Military Communications Conference (MILCOM).   IEEE, 2019, pp. 109–114.
  10. X. Li, X. Li, J. Jia, L. Li, J. Yuan, Y. Gao, and S. Yu, “A high accuracy and adaptive anomaly detection model with dual-domain graph convolutional network for insider threat detection,” IEEE Transactions on Information Forensics and Security, vol. 18, pp. 1638–1652, 2023.
  11. F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, and D. Meng, “Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, pp. 1777–1794.
  12. S. Wang, Z. Wang, T. Zhou, H. Sun, X. Yin, D. Han, H. Zhang, X. Shi, and J. Yang, “Threatrace: Detecting and tracing host-based threats in node level through provenance graph learning,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 3972–3987, 2022.
  13. C. Wang and H. Zhu, “Wrongdoing monitor: A graph-based behavioral anomaly detection in cyber security,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 2703–2718, 2022.
  14. X. Hu, W. Gao, G. Cheng, R. Li, Y. Zhou, and H. Wu, “Towards early and accurate network intrusion detection using graph embedding,” IEEE Transactions on Information Forensics and Security, 2023.
  15. W. Huang, H. Zhu, C. Li, Q. Lv, Y. Wang, and H. Yang, “Itdbert: Temporal-semantic representation for insider threat detection,” in 2021 IEEE Symposium on Computers and Communications (ISCC).   IEEE, 2021, pp. 1–7.
  16. S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural computation, vol. 9, no. 8, pp. 1735–1780, 1997.
  17. K. Cho, B. Van Merriënboer, C. Gulcehre, D. Bahdanau, F. Bougares, H. Schwenk, and Y. Bengio, “Learning phrase representations using rnn encoder-decoder for statistical machine translation,” arXiv preprint arXiv:1406.1078, 2014.
  18. A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, Ł. Kaiser, and I. Polosukhin, “Attention is all you need,” Advances in neural information processing systems, vol. 30, 2017.
  19. A. Ortega, P. Frossard, J. Kovačević, J. M. Moura, and P. Vandergheynst, “Graph signal processing: Overview, challenges, and applications,” Proceedings of the IEEE, vol. 106, no. 5, pp. 808–828, 2018.
  20. V. Kalofolias, “How to learn a graph from smooth signals,” in Artificial intelligence and statistics.   PMLR, 2016, pp. 920–929.
  21. Y. Chen, L. Wu, and M. Zaki, “Iterative deep graph learning for graph neural networks: Better and robust node embeddings,” Advances in neural information processing systems, vol. 33, pp. 19 314–19 326, 2020.
  22. M. Belkin and P. Niyogi, “Laplacian eigenmaps and spectral techniques for embedding and clustering,” Advances in neural information processing systems, vol. 14, 2001.
  23. T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” arXiv preprint arXiv:1609.02907, 2016.
  24. P. Veličković, G. Cucurull, A. Casanova, A. Romero, P. Liò, and Y. Bengio, “Graph attention networks,” in International Conference on Learning Representations, 2018.
  25. V. Nair and G. E. Hinton, “Rectified linear units improve restricted boltzmann machines,” in Proceedings of the 27th international conference on machine learning, 2010, pp. 807–814.
  26. A. L. Maas, A. Y. Hannun, A. Y. Ng et al., “Rectifier nonlinearities improve neural network acoustic models,” in Proceedings of the 27th international conference on machine learning, vol. 30, no. 1.   Atlanta, GA, 2013, p. 3.
  27. H. Ding, Y. Sun, N. Huang, Z. Shen, and X. Cui, “Tmg-gan: Generative adversarial networks-based imbalanced learning for network intrusion detection,” IEEE Transactions on Information Forensics and Security, vol. 19, pp. 1156–1167, 2023.
  28. S. Yuan, P. Zheng, X. Wu, and H. Tong, “Few-shot insider threat detection,” in Proceedings of the 29th ACM International Conference on Information & Knowledge Management, 2020, pp. 2289–2292.
  29. M. AlSlaiman, M. I. Salman, M. M. Saleh, and B. Wang, “Enhancing false negative and positive rates for efficient insider threat detection,” Computers & Security, vol. 126, p. 103066, 2023.
  30. S. Yuan and X. Wu, “Deep learning for insider threat detection: Review, challenges and opportunities,” Computers & Security, vol. 104, p. 102221, 2021.
  31. B. Lindauer, “Insider Threat Test Dataset,” 9 2020. [Online]. Available: https://kilthub.cmu.edu/articles/dataset/Insider_Threat_Test_Dataset/12841247
  32. M. Buda, A. Maki, and M. A. Mazurowski, “A systematic study of the class imbalance problem in convolutional neural networks,” Neural networks, vol. 106, pp. 249–259, 2018.
  33. J. L. Elman, “Finding structure in time,” Cognitive science, vol. 14, no. 2, pp. 179–211, 1990.
  34. J. Chung, C. Gulcehre, K. Cho, and Y. Bengio, “Empirical evaluation of gated recurrent neural networks on sequence modeling,” arXiv preprint arXiv:1412.3555, 2014.
  35. M. Du, F. Li, G. Zheng, and V. Srikumar, “Deeplog: Anomaly detection and diagnosis from system logs through deep learning,” in Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, 2017, pp. 1285–1298.
  36. B. Peng, E. Alcaide, Q. Anthony, A. Albalak, S. Arcadinho, H. Cao, X. Cheng, M. Chung, M. Grella, K. K. GV et al., “Rwkv: Reinventing rnns for the transformer era,” arXiv preprint arXiv:2305.13048, 2023.
  37. Y. Shen, E. Mariconti, P. A. Vervier, and G. Stringhini, “Tiresias: Predicting security events through deep learning,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 592–605.
  38. G. Zhou, N. Mou, Y. Fan, Q. Pi, W. Bian, C. Zhou, X. Zhu, and K. Gai, “Deep interest evolution network for click-through rate prediction,” in Proceedings of the AAAI conference on artificial intelligence, vol. 33, no. 01, 2019, pp. 5941–5948.
  39. Q. Chen, H. Zhao, W. Li, P. Huang, and W. Ou, “Behavior sequence transformer for e-commerce recommendation in alibaba,” in Proceedings of the 1st international workshop on deep learning practice for high-dimensional sparse data, 2019, pp. 1–4.
  40. K. Zhou, H. Yu, W. X. Zhao, and J.-R. Wen, “Filter-enhanced mlp is all you need for sequential recommendation,” in Proceedings of the ACM web conference 2022, 2022, pp. 2388–2399.
  41. Z. Wang, Z. Chen, J. Ni, H. Liu, H. Chen, and J. Tang, “Multi-scale one-class recurrent neural networks for discrete event sequence anomaly detection,” in Proceedings of the 27th ACM SIGKDD conference on knowledge discovery & data mining, 2021, pp. 3726–3734.
  42. A. L. Buczak and E. Guven, “A survey of data mining and machine learning methods for cyber security intrusion detection,” IEEE Communications surveys & tutorials, vol. 18, no. 2, pp. 1153–1176, 2015.
  43. D. C. Le and N. Zincir-Heywood, “Anomaly detection for insider threats using unsupervised ensembles,” IEEE Transactions on Network and Service Management, vol. 18, no. 2, pp. 1152–1164, 2021.
  44. I. J. King and H. H. Huang, “Euler: Detecting network lateral movement via scalable temporal link prediction,” ACM Transactions on Privacy and Security, vol. 26, no. 3, pp. 1–36, 2023.
  45. W. J. Youden, “Index for rating diagnostic tests,” Cancer, vol. 3, no. 1, pp. 32–35, 1950.
  46. D. C. Le and N. Zincir-Heywood, “Exploring anomalous behaviour detection and classification for insider threat identification,” International Journal of Network Management, vol. 31, no. 4, p. e2109, 2021.
  47. I. Loshchilov and F. Hutter, “Decoupled weight decay regularization,” arXiv preprint arXiv:1711.05101, 2017.
  48. J. Johnson, M. Douze, and H. Jégou, “Billion-scale similarity search with GPUs,” IEEE Transactions on Big Data, vol. 7, no. 3, pp. 535–547, 2019.
  49. Y. A. Malkov and D. A. Yashunin, “Efficient and robust approximate nearest neighbor search using hierarchical navigable small world graphs,” IEEE transactions on pattern analysis and machine intelligence, vol. 42, no. 4, pp. 824–836, 2018.
  50. K. Ethayarajh, “How contextual are contextualized word representations? comparing the geometry of bert, elmo, and gpt-2 embeddings,” arXiv preprint arXiv:1909.00512, 2019.
  51. J. Gao, D. He, X. Tan, T. Qin, L. Wang, and T.-Y. Liu, “Representation degeneration problem in training natural language generation models,” arXiv preprint arXiv:1907.12009, 2019.
  52. P. A. Legg, O. Buckley, M. Goldsmith, and S. Creese, “Caught in the act of an insider attack: detection and assessment of insider threat,” in 2015 IEEE International Symposium on Technologies for Homeland Security (HST).   IEEE, 2015, pp. 1–6.
  53. L. Liu, O. De Vel, C. Chen, J. Zhang, and Y. Xiang, “Anomaly-based insider threat detection using deep autoencoders,” in 2018 IEEE International Conference on Data Mining Workshops (ICDMW).   IEEE, 2018, pp. 39–48.
  54. J. Lu and R. K. Wong, “Insider threat detection with long short-term memory,” in Proceedings of the Australasian Computer Science Week Multiconference, 2019, pp. 1–10.
  55. J. Devlin, M.-W. Chang, K. Lee, and K. Toutanova, “Bert: Pre-training of deep bidirectional transformers for language understanding,” arXiv preprint arXiv:1810.04805, 2018.
  56. C. Zheng, W. Hu, T. Li, X. Liu, J. Zhang, and L. Wang, “An insider threat detection method based on heterogeneous graph embedding,” in 2022 IEEE 8th Intl Conference on Big Data Security on Cloud (BigDataSecurity), IEEE Intl Conference on High Performance and Smart Computing,(HPSC) and IEEE Intl Conference on Intelligent Data and Security (IDS).   IEEE, 2022, pp. 11–16.
  57. W. Hong, J. Yin, M. You, H. Wang, J. Cao, J. Li, and M. Liu, “Graph intelligence enhanced bi-channel insider threat detection,” in International Conference on Network and System Security.   Springer, 2022, pp. 86–102.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now