Skip to main content
SpringerLink
Log in

Survival analysis for insider threat

Detecting insider threat incidents using survival analysis techniques

  • S.I.: Social Cybersecurity in Times of Crisis
  • Published:
Computational and Mathematical Organization Theory Aims and scope Submit manuscript

Abstract

In the current information era, we rely on cyber techniques and principles to protect the confidentiality, integrity, and availability of everything from personally identifiable information and intellectual property, to government and industry information systems. Despite persistent efforts to protect this sensitive information, security breaches continue to occur at alarming rates, the most common of them being insider threats. Over the past decade, insider threat detection has attracted a considerable amount of attention from researchers in both academia and industry. In this paper, we develop a novel insider threat detection method based on survival analysis techniques. Specifically, we use the Cox proportional hazards model to provide more accurate prediction of insider threat events. Our model utilizes different groups of variables such as activity, logon data, and psychometric tests. The proposed framework has the ability to address the challenge of predicting insider threat instances as well as the approximate time of occurrence. This study enables us to perform proactive interventions in a prioritized manner where limited resources are available. The criticality of this issue in the insider threat problem is twofold: not only correctly classifying whether a person is going to become a threat is important, but also the time when this is going to happen. We evaluate our method on the CERT Insider Threat Test Dataset and show that the proposed Cox-based framework can predict insider threat events and timing with high accuracy and precision.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Similar content being viewed by others

References

  • Al-Mhiqani MN, et al (2020) A review of insider threat detection: classification, machine earning techniques, datasets, open challenges, and recommendations. Appl Sci 10(15):5208

    Article  Google Scholar 

  • Ameri S, et al (2016) Survival analysis based framework for early prediction of student dropouts. In: Proceedings of the 25th ACM international on conference on information and knowledge management. pp 903–912

  • Belk RW, Hix TD (2018) Insider threat program: maturity framework

  • Carley KM (2020) Social cybersecurity: an emerging science. Comput Math Org Theory 26(4):365–381

    Article  Google Scholar 

  • Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: A survey. ACM Comput Surv (CSUR) 41(3):1–58

    Article  Google Scholar 

  • Costa Daniel L, Albrethsen Michael J, Collins Matthew L (2016) Insider threat indicator ontology. Tech. rep. Carnegie Mellon University, Pitts burg, PA

  • David RA, Sproull RF (2019)Cybersecurity: a growing challenge for engineers and operators. In: The bridge: linking engineering and society vol 49(3)

  • Dietterich TG (2000) Ensemble methods in machine learning. In: International workshop on multiple classifier systems. Springer. pp 1–15

  • Glasser J, Lindauer B (2013) Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE security and privacy workshops. IEEE. pp 98–104

  • Homoliak I et al (2019) Insight into insiders and IT: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput Surv (CSUR) 52(2):1–40

    Article  Google Scholar 

  • Hu T, et al (2019) An insider threat detection approach based on mouse dynamics and deep learning. In: Security and communication networks 2019

  • Jiang J, et al (2019) Anomaly detection with graph convolutional networks for insider threat and fraud detection. In: MILCOM 2019-2019 IEEE military communications conference (MILCOM). IEEE. pp 109–114

  • Klein JP, Zhang M-J (2005) Survival analysis, softwar. In: En-cyclopedia of biostatistics 8

  • Li Y, et al (2016a) A multi-task learning formulation for survival analysis. In: Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, pp 1715–1724

  • Li Y, et al (2016b) Transfer learning for survival analysis via efficient l2, 1-norm regularized cox regression. In: 2016 IEEE 16th international conference on data mining (ICDM). IEEE, pp 231–240

  • Liu L, et al (2018a) Anomaly-based insider threat detection using deep au-toencoders. In: 2018 IEEE international conference on data mining workshops (ICDMW). IEEE. pp 39–48

  • Liu L et al (2018b) Detecting and preventing cyber insider threats: a survey. IEEE Commun Surv Tutor 20(2):1397–1417

    Article  Google Scholar 

  • Lu J, Wong RK (2019) Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference. pp 1–10

  • Maddie R (2020) Insider threat statistics you should know. https://www.tessian.com/blog/insider-threat-statistics/. accessed 10 June 2020

  • Miller RG Jr (2011) Survival analysis, vol 66. Wiley, Hoboken

    Google Scholar 

  • Obama B (2011) Structural reforms to improve the security of classified networks and the responsible sharing and safeguarding of classified information - executive order 13587

  • Rashid T, Agrafiotis I, Nurse JRC (2016) A new take on detecting insider threats: exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS international workshop on managing insider security threats. pp 47–56

  • Tuor A, et al (2017) Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. arXiv:1710.00811

  • U.S. State of Cybercrime (2018) Tech. rep. CERT Division of SRI-CMU, and ForcePoint

  • Vinzamuri B, Li Y, Reddy CK (2014) Active learning based survival regression for censored data. In: Proceedings of the 23rd ACM international conference on conference on information and knowledge management. pp 241–250

  • Wang P, Li Y, Reddy CK (2019) Machine learning for survival analysis: a survey. ACM Comput Surv (CSUR) 51(6):1–36

    Article  Google Scholar 

  • Yuan S, Wu X (2021) Deep learning for insider threat detection: review, challenges and opportunities. In: Computers & Security, pp 102221

  • Yuan F, et al (2018) Insider threat detection with deep neural network. In: International conference on computational science. Springer. pp 43–54

Download references

Acknowledgements

The authors acknowledge the support of COL Paul Goethals and the Insider Threat Research Center at the United States Military Academy in West Point, NY.

Author information

Authors and Affiliations

  1. United States Military Academy, West Point, USA

    Elie Alhajjar & Taylor Bradley

Authors
  1. Elie Alhajjar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Taylor Bradley
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elie Alhajjar.

Ethics declarations

Conflict of interest

The authors declare that they have no conflict of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Alhajjar, E., Bradley, T. Survival analysis for insider threat. Comput Math Organ Theory 28, 335–351 (2022). https://doi.org/10.1007/s10588-021-09341-0

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10588-021-09341-0

Keywords

Search

Navigation