Abstract
In the security supervision sector, it is the importance of accurate detection and analysis of insider threats. In this article, we propose a new concept of insider threat kill chain, which is capable to understand psychological and behavioral change process of malicious users. Meanwhile, a novel user-level malicious behavior analysis model is established based on non-negative matrix factorization-Gaussian mixture model (NMF-GMM). In particular, we carry out the analysis from three perspectives: typical malicious behavior characteristics, overall user behavior and temporal individual behavior change. New classification method suggests to use group users by targeting malicious users with typical malicious features. The Z-score method is applied to establish evaluation model of suspicious user behavior, and the threshold of normal behavior is also determined. Furthermore, a temporal individual behavior change model is established, malicious users are located by the Pettitt test method, and the time of the first malicious behaviors are given. Experimental results show that the proposed user grouping method and ensemble strategy is capable for detection of malicious users.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Data availability
The data comes from Carnegie Mellon University’s Insider Threat Data Center (https://www.sei.cmu.edu). The experimental data can be provided by the corresponding author on reasonable request.
Abbreviations
- NMF:
-
Non-negative Matrix Factorization
- GMM:
-
Gaussian Mixture Model
- NMF-GMM:
-
Non-negative Matrix Factorization- Gaussian Mixture Model
- CERT:
-
Computer Emergency Response Team
- IF:
-
Isolation Forest
- OCSVM:
-
One-Class Support Vector Machine
- R:
-
Recall
- P:
-
Precision
- F1:
-
F1-Score
- FPR:
-
False Positive Rate
- LOF:
-
Local Outlier Factor
- CH:
-
Calinski-Harabasz Index
- EM:
-
Expectation–Maximization
- HMM:
-
Hidden Markov Model
References
Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. Proceedings of the 2nd IEEE CS security and privacy workshops, pp. 98-104 (2013)
Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., Ochoa, M.: Insight into insiders and IT: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. 52(2), 30 (2019)
Oladimeji, T.O., Ayo, C.K., Adewumi, S.E.: Insider threat detection using binary classification algorithms. IOP Conf. Series 1107, 012031 (2021)
Yu, J., Kim, M., Oh, H., Yang, J.: Real-time abnormal insider event detection on enterprise resource planning systems via predictive auto-regression model. IEEE Access 9, 62276–62284 (2021)
Yuan, S., Wu, X.: Deep learning for insider threat detection: review, challenges and opportunities. Comput. Secur. 104, 102221 (2021)
Al-Mhiqani, M.N., Ahmad, R., Abidin, Z.Z., Yassin, W., Hassan, A., Abdulkareem, K.H., Ali, N.S., Yunos, Z.: A review of insider threat detection: classification, machine learning techniques, datasets, open challenges, and recommendations. Appl. Sci-Basel 10(15), 5208 (2020)
Zou, B., Yang, M., Guo, J., Wang, J.B., Benjiamin, E.R., Liu, H., Li, W.: Insider threats of physical protection systems in nuclear power plants: prevention and evaluation. Prog. Nucl. Energ. 104, 8–15 (2018)
Meng, W.Z., Choo, K.K.R., Furnell, S., Vasilakos, A.V., Probst, C.W.: Towards Bayesian-based trust management for insider attacks in healthcare software-defined networks. IEEE Trans. Netw. Serv. Man. 15(2), 761–773 (2018)
Holger, S.: 2020 insider threat report https://www.securonix.com/resources/2020-insider-threat-report/
Kim, D.W., Hong, S.S., Han, M.M.: A study on classification of insider threat using Markov chain model. KSII Trans. Internet Inf. Syst. 12(4), 1887–1898 (2018)
Jang, M., Ryu, Y., Kim, J.S., Cho, M.: Against insider threats with hybrid anomaly detection with local-feature autoencoder and global statistics (LAGS). IEICE Trans. Inf. Syst. E103D(4), 888–891 (2020)
Bauder, R.A., Khoshgoftaar, T.M.: A study on rare fraud predictions with big Medicare claims fraud data. Intell. Data Anal. 24(1), 141–161 (2020)
Wang, Z.C., Sun, Y.R.: Optimization of SMOTE for imbalanced data based on AdaRBFNN and hybrid metaheuristics. Intell. Data Anal. 25(3), 541–554 (2021)
Dlamini, G., Fahim, M.: DGM: a data generative model to improve minority class presence in anomaly detection domain. Neural Comput. Appl. 33(20), 13635–13646 (2021)
Kim, J., Park, M., Kim, H., Cho, S., Kang, P.: Insider threat detection based on user behavior modeling and anomaly detection algorithms. Appl. Sci-Basel 9(19), 4018 (2019)
Le, D.C., Zincir-Heywood, N.: Exploring anomalous behaviour detection and classification for insider threat identification. Int. J. Netw. Manag. 31(4), e2109 (2019)
Gamachchi, A., Boztas, S.: Insider threat detection through attributed graph clustering, In: Proceedings of the 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 112-119 (2017)
Zou, S., Sun, H., Xu, G., Quan, R.: Ensemble strategy for insider threat detection from user activity logs. CMC-Comput. Mater. Con. 65(2), 1321–1334 (2020)
Raman, M.R.G., Somu, N., Mathur, A.P.: A multilayer perceptron model for anomaly detection in water treatment plants. Int. J. Crit. Infr. Prot. 31, 100393 (2003)
Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden Markov models. CCS International workshop on managing insider security threats, pp. 47-56 (2016)
Lo, O., Buchanan, W.J., Griffiths, P., Macfarlane, R.: Distance measurement methods for improved insider threat detection. Secur. Commun. Netw. UNSP5906368 (2018)
Chen, T., Tang, L.A., Sun, Y.Z., Chen, Z.Z., Zhang, K: Entity embedding-based anomaly detection for heterogeneous categorical events. In: International joint conference on artificial intelligence, pp. 1396-1403 (2016)
Wang, J.R., Cai, L.J., Yu, A.M., Meng, D.: Embedding learning with heterogeneous event sequence for insider threat detection. In: 31st IEEE international conference on tools with artificial intelligence, pp. 947-954 (2019)
Hutchins, E., Cloppert, M., Amin, R.: Intelligence-Driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. In: 6th International conference on information warfare and security, pp. 80-81 (2011)
Kim, H., Kwon, H.J., Kim, K.K.: Modified cyber kill chain for multimedia service environments. Multimed. Tools Appl. 78(3), 3153–3170 (2019)
Ning, C., Xi, Z.: Window-type detector for stealthy false data injection attack in cyber-physical systems. Int. J. Syst. Sci. (2023). https://doi.org/10.1080/00207721.2023.2186754
Gayathri, R.G., Sajjanhar, A., Xiang, Y.: Image-based feature representation for insider threat classification. Appl Sci-Basel 10(14), 4945 (2020)
Oh, J., Kim, T.H., Lee, K.H.: Advanced insider threat detection model to apply periodic work atmosphere. KSII Internet Inf. 13, 1722–1737 (2019)
Garchery, M., Granitzer, M.: Identifying and clustering users for unsupervised intrusion detection in corporate audit sessions. In: Identifying and clustering users for unsupervised intrusion detection in corporate audit sessions, pp. 19-27 (2019)
Aldairi, M., Karimi, L., Joshi, J.: A trust aware unsupervised learning approach for insider threat detection. IN: IEEE International conference on information reuse and integration for data science, pp. 89-98 (2019)
Lisboa, P.J.G., Saralajew, S., Vellido, A., Fernández-Domenech, R., Villmann, T.: The coming of age of interpretable and explainable machine learning models. Neurocomputing 535(28), 25–39 (2023)
Lee, D.D., Seung, H.S.: Learning the parts of objects by non-negative matrix factorization. Nature 401, 788–791 (1999)
Chen, Y., Ashizawa, N., Yeo, C.K., Yanai, N., Yean, S.: Multi-scale self-organizing map assisted deep autoencoding Gaussian mixture model for unsupervised intrusion detection. Knowl.-Based Syst. 224, 107086 (2021)
Blaise, A., Bouet, M., Conan, V., Secci, S.: Detection of zero-day attacks: An unsupervised port-based approach. Comput. Netw. 180, 107391 (2020)
Taïbi, S., Zeroual, A., Meddi, M.: Efect of autocorrelation on temporal trends in air temperature in Northern Algeria and links with teleconnections patterns. Theor. Appl. Climatol. 147(3), 959–984 (2022)
Caliński, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat-Thero. M. 3, 1–27 (1974)
Acknowledgements
This work was supported in part by the Scientific and Technological Innovation 2030—Major Project of New Generation Artificial Intelligence (2020AAA0109300), the Bashkir State Medical University Strategic Academic Leadership Program (PRIORITY-2030).
Funding
The authors have not disclosed any funding.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
The authors declare that they have no conflict of interest concerning the publication of this manuscript.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Kan, X., Fan, Y., Zheng, J. et al. User-level malicious behavior analysis model based on the NMF-GMM algorithm and ensemble strategy. Nonlinear Dyn 111, 21391–21408 (2023). https://doi.org/10.1007/s11071-023-08954-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11071-023-08954-1