An Insider Threat Detection Method Based on User Behavior Analysis
Insider threat has always been an important hidden danger of information system security, and the detection of insider threat is the main concern of information system organizers. Before the anomaly detection, the process of feature extraction often causes a part of information loss, and the detection of insider threats in a single time point often causes false positives. Therefore, this paper proposes a user behavior analysis model, by aggregating user behavior in a period of time, comprehensively characterizing user attributes, and then detecting internal attacks. Firstly, the user behavior characteristics are extracted from the multi-domain features extracted from the audit log, and then the XGBoost algorithm is used to train. The experimental results on a user behavior dataset show that the XGBoost algorithm can be used to identify the insider threats. The value of F-measure is up to 99.96% which is better than SVM and random forest algorithm.
KeywordsInsider threat User behavior Machine learning
The authors would like to thank the anonymous reviewers for their detailed reviews and constructive comments, which help improve the quality of this paper. Supported by Beijing Natural Science Foundation under Grant No. 4172006, General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No. km201410005012, the Key Lab of Information Network Security, Ministry of Public Security, Humanity and Social Science Youth foundation of Ministry of Education of China under Grant No. 13YJCZH065; General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No. km201410005012; Open Research Fund of Beijing Key Laboratory of Trusted Computing, Open Research Fund of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education.
- Pannell, G., Ashman, H.: Anomaly detection over user profiles for intrusion detection. University of South Australia (2012)Google Scholar
- Xuan, L., Zhang, F., Ye, L.: User behavior mining algorithm design based on NetFlow. Comput. Appl. Res. 26(2), 319–321 (2009)Google Scholar
- Lian, Y., Dai, Y., Wang, H.: User behavior anomaly detection based on pattern mining. J. Comput. Sci. 25(3), 325–330 (2002)Google Scholar
- Wang, L., An, N., Wu, X., Fang, D.: Behavior pattern mining in intrusion detection system. J. Commun. 25(7), 168–175 (2004)Google Scholar
- Gamachchi, A., Boztas, S.: Insider threat detection through attributed graph clustering. In: Trustcom/BigDataSE/ICESS, pp. 112–119 (2017)Google Scholar
- Kandias, M., Stavrou, V., Bozovic, N., Mitrou, L., Gritzalis, D.: Can we trust this user? predicting insider’s attitude via youtube usage profiling. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 347–354. IEEE (2013)Google Scholar
- Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, pp. 54:1–54:4. ACM, New York (2009)Google Scholar
- Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B., Brdiczka, O.: Multi-domain information fusion for insider threat detection. In: 2013 IEEE on Security and Privacy Workshops (SPW) (2013)Google Scholar
- Andropov, S., Guirik, A., Budko, M.: Network: Anomaly detection using artificial neural networks. Open Innovations Association, pp. 26–31 (2017)Google Scholar
- Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden Markov models. In: International Workshop on Managing Insider Security Threats, pp. 47–56 (2016)Google Scholar