Abstract
In the current information era, we rely on cyber techniques and principles to protect the confidentiality, integrity, and availability of everything from personally identifiable information and intellectual property, to government and industry information systems. Despite persistent efforts to protect this sensitive information, security breaches continue to occur at alarming rates, the most common of them being insider threats. Over the past decade, insider threat detection has attracted a considerable amount of attention from researchers in both academia and industry. In this paper, we develop a novel insider threat detection method based on survival analysis techniques. Specifically, we use the Cox proportional hazards model to provide more accurate prediction of insider threat events. Our model utilizes different groups of variables such as activity, logon data, and psychometric tests. The proposed framework has the ability to address the challenge of predicting insider threat instances as well as the approximate time of occurrence. This study enables us to perform proactive interventions in a prioritized manner where limited resources are available. The criticality of this issue in the insider threat problem is twofold: not only correctly classifying whether a person is going to become a threat is important, but also the time when this is going to happen. We evaluate our method on the CERT Insider Threat Test Dataset and show that the proposed Cox-based framework can predict insider threat events and timing with high accuracy and precision.
Similar content being viewed by others
References
Al-Mhiqani MN, et al (2020) A review of insider threat detection: classification, machine earning techniques, datasets, open challenges, and recommendations. Appl Sci 10(15):5208
Ameri S, et al (2016) Survival analysis based framework for early prediction of student dropouts. In: Proceedings of the 25th ACM international on conference on information and knowledge management. pp 903–912
Belk RW, Hix TD (2018) Insider threat program: maturity framework
Carley KM (2020) Social cybersecurity: an emerging science. Comput Math Org Theory 26(4):365–381
Chandola V, Banerjee A, Kumar V (2009) Anomaly detection: A survey. ACM Comput Surv (CSUR) 41(3):1–58
Costa Daniel L, Albrethsen Michael J, Collins Matthew L (2016) Insider threat indicator ontology. Tech. rep. Carnegie Mellon University, Pitts burg, PA
David RA, Sproull RF (2019)Cybersecurity: a growing challenge for engineers and operators. In: The bridge: linking engineering and society vol 49(3)
Dietterich TG (2000) Ensemble methods in machine learning. In: International workshop on multiple classifier systems. Springer. pp 1–15
Glasser J, Lindauer B (2013) Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE security and privacy workshops. IEEE. pp 98–104
Homoliak I et al (2019) Insight into insiders and IT: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput Surv (CSUR) 52(2):1–40
Hu T, et al (2019) An insider threat detection approach based on mouse dynamics and deep learning. In: Security and communication networks 2019
Jiang J, et al (2019) Anomaly detection with graph convolutional networks for insider threat and fraud detection. In: MILCOM 2019-2019 IEEE military communications conference (MILCOM). IEEE. pp 109–114
Klein JP, Zhang M-J (2005) Survival analysis, softwar. In: En-cyclopedia of biostatistics 8
Li Y, et al (2016a) A multi-task learning formulation for survival analysis. In: Proceedings of the 22nd ACM SIGKDD international conference on knowledge discovery and data mining, pp 1715–1724
Li Y, et al (2016b) Transfer learning for survival analysis via efficient l2, 1-norm regularized cox regression. In: 2016 IEEE 16th international conference on data mining (ICDM). IEEE, pp 231–240
Liu L, et al (2018a) Anomaly-based insider threat detection using deep au-toencoders. In: 2018 IEEE international conference on data mining workshops (ICDMW). IEEE. pp 39–48
Liu L et al (2018b) Detecting and preventing cyber insider threats: a survey. IEEE Commun Surv Tutor 20(2):1397–1417
Lu J, Wong RK (2019) Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference. pp 1–10
Maddie R (2020) Insider threat statistics you should know. https://www.tessian.com/blog/insider-threat-statistics/. accessed 10 June 2020
Miller RG Jr (2011) Survival analysis, vol 66. Wiley, Hoboken
Obama B (2011) Structural reforms to improve the security of classified networks and the responsible sharing and safeguarding of classified information - executive order 13587
Rashid T, Agrafiotis I, Nurse JRC (2016) A new take on detecting insider threats: exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS international workshop on managing insider security threats. pp 47–56
Tuor A, et al (2017) Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. arXiv:1710.00811
U.S. State of Cybercrime (2018) Tech. rep. CERT Division of SRI-CMU, and ForcePoint
Vinzamuri B, Li Y, Reddy CK (2014) Active learning based survival regression for censored data. In: Proceedings of the 23rd ACM international conference on conference on information and knowledge management. pp 241–250
Wang P, Li Y, Reddy CK (2019) Machine learning for survival analysis: a survey. ACM Comput Surv (CSUR) 51(6):1–36
Yuan S, Wu X (2021) Deep learning for insider threat detection: review, challenges and opportunities. In: Computers & Security, pp 102221
Yuan F, et al (2018) Insider threat detection with deep neural network. In: International conference on computational science. Springer. pp 43–54
Acknowledgements
The authors acknowledge the support of COL Paul Goethals and the Insider Threat Research Center at the United States Military Academy in West Point, NY.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Alhajjar, E., Bradley, T. Survival analysis for insider threat. Comput Math Organ Theory 28, 335–351 (2022). https://doi.org/10.1007/s10588-021-09341-0
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10588-021-09341-0