An Insider Threat Detection Method Based on User Behavior Analysis

  • Wei Jiang
  • Yuan TianEmail author
  • Weixin Liu
  • Wenmao Liu
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 538)


Insider threat has always been an important hidden danger of information system security, and the detection of insider threat is the main concern of information system organizers. Before the anomaly detection, the process of feature extraction often causes a part of information loss, and the detection of insider threats in a single time point often causes false positives. Therefore, this paper proposes a user behavior analysis model, by aggregating user behavior in a period of time, comprehensively characterizing user attributes, and then detecting internal attacks. Firstly, the user behavior characteristics are extracted from the multi-domain features extracted from the audit log, and then the XGBoost algorithm is used to train. The experimental results on a user behavior dataset show that the XGBoost algorithm can be used to identify the insider threats. The value of F-measure is up to 99.96% which is better than SVM and random forest algorithm.


Insider threat User behavior Machine learning 



The authors would like to thank the anonymous reviewers for their detailed reviews and constructive comments, which help improve the quality of this paper. Supported by Beijing Natural Science Foundation under Grant No. 4172006, General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No. km201410005012, the Key Lab of Information Network Security, Ministry of Public Security, Humanity and Social Science Youth foundation of Ministry of Education of China under Grant No. 13YJCZH065; General Program of Science and Technology Development Project of Beijing Municipal Education Commission of China under Grant No. km201410005012; Open Research Fund of Beijing Key Laboratory of Trusted Computing, Open Research Fund of Key Laboratory of Trustworthy Distributed Computing and Service (BUPT), Ministry of Education.


  1. Pannell, G., Ashman, H.: Anomaly detection over user profiles for intrusion detection. University of South Australia (2012)Google Scholar
  2. Xuan, L., Zhang, F., Ye, L.: User behavior mining algorithm design based on NetFlow. Comput. Appl. Res. 26(2), 319–321 (2009)Google Scholar
  3. Lian, Y., Dai, Y., Wang, H.: User behavior anomaly detection based on pattern mining. J. Comput. Sci. 25(3), 325–330 (2002)Google Scholar
  4. Wang, L., An, N., Wu, X., Fang, D.: Behavior pattern mining in intrusion detection system. J. Commun. 25(7), 168–175 (2004)Google Scholar
  5. Camina, J.B., Hernandez-Gracidas, C., Monroy, R., Trejo, L.: The windows-users and-intruder simulations logs dataset (WUIL): an experimental framework for masquerade detection mechanisms. Expert Syst. Appl. 41(3), 919–930 (2014)CrossRefGoogle Scholar
  6. Gamachchi, A., Boztas, S.: Insider threat detection through attributed graph clustering. In: Trustcom/BigDataSE/ICESS, pp. 112–119 (2017)Google Scholar
  7. Kandias, M., Stavrou, V., Bozovic, N., Mitrou, L., Gritzalis, D.: Can we trust this user? predicting insider’s attitude via youtube usage profiling. In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 347–354. IEEE (2013)Google Scholar
  8. Bowen, B.M., Ben Salem, M., Hershkop, S., Keromytis, A.D., Stolfo, S.J.: Designing host and network sensors to mitigate the insider threat. IEEE Secur. Priv. 7(6), 22–29 (2009)CrossRefGoogle Scholar
  9. Maloof, M.A., Stephens, G.D.: elicit: A system for detecting insiders who violate need-to-know. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 146–166. Springer, Heidelberg (2007). Scholar
  10. Eberle, W., Graves, J., Holder, L.: Insider threat detection using a graph-based approach. J. Appl. Secur. Res. 6(1), 32–81 (2010)CrossRefGoogle Scholar
  11. Myers, J., Grimaila, M.R., Mills, R.F.: Towards insider threat detection using web server logs. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, pp. 54:1–54:4. ACM, New York (2009)Google Scholar
  12. Eldardiry, H., Bart, E., Liu, J., Hanley, J., Price, B., Brdiczka, O.: Multi-domain information fusion for insider threat detection. In: 2013 IEEE on Security and Privacy Workshops (SPW) (2013)Google Scholar
  13. Andropov, S., Guirik, A., Budko, M.: Network: Anomaly detection using artificial neural networks. Open Innovations Association, pp. 26–31 (2017)Google Scholar
  14. Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden Markov models. In: International Workshop on Managing Insider Security Threats, pp. 47–56 (2016)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.Beijing University of TechnologyBeijingChina
  2. 2.Chinese Academy of Cyberspace StudiesBeijingChina
  3. 3.NSFOCUS Information TechnologyBeijingChina

Personalised recommendations