Insider Threat Detection with Deep Neural Network

  • Fangfang Yuan
  • Yanan Cao
  • Yanmin Shang
  • Yanbing LiuEmail author
  • Jianlong Tan
  • Binxing Fang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10860)


Insider threat detection has attracted a considerable attention from the researchers and industries. Existing work mainly focused on applying machine-learning techniques to detecting insider threat. However, this work requires “feature engineering” which is difficult and time-consuming. As we know, the deep learning technique can automatically learn powerful features. In this paper, we present a novel insider threat detection method with Deep Neural Network (DNN) based on user behavior. Specifically, we use the LSTM-CNN framework to find user’s anomalous behavior. First, similar to natural language modeling, we use the Long Short Term Memory (LSTM) to learn the language of user behavior through user actions and extract abstracted temporal features. Second, the extracted features are converted to the fixed-size feature matrices and the Convolutional Neural Network (CNN) use these fixed-size feature matrices to detect insider threat. We conduct experiments on a public dataset of insider threats. Experimental results show that our method can successfully detect insider threat and we obtained AUC = 0.9449 in best case.


Insider threat Anomaly detection Deep learning Network security 



This work was partly supported by the National Key R&D Program of China under Grant No. 2016YFB0800300, Xinjiang Uygur Autonomous Region Science and Technology Project under Grant No. 2016A030007-4, the National Natural Science Foundation of China under grant No. 61602466.


  1. 1.
    Gavai, G., Sricharan, K., Gunning, D., Hanley, J., Singhal, M., Rolleston, R.: Supervised and unsupervised methods to detect insider threat from enterprise social and online activity data. JoWUA 6(4), 47–63 (2015)Google Scholar
  2. 2.
    Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. arXiv preprint arXiv:1710.00811(2017)
  3. 3.
    Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. (CSUR) 41(3), 1–58 (2009)CrossRefGoogle Scholar
  4. 4.
    Davison, B.D., Hirsh, H.: Predicting sequences of user actions. In: AAAI/ICML 1998 Workshop on Predicting the Future: AI Approaches to Time-Series Analysis, pp. 5–12 (1998)Google Scholar
  5. 5.
    Lane, T., Brodley, C.E.: Sequence matching and learning in anomaly detection for computer security. In: AAAI Workshop: AI Approaches to Fraud Detection and Risk Management, pp. 43–49 (1997)Google Scholar
  6. 6.
    Maxion, R.A., Townsend,T.N.: Masquerade detection using truncated command lines. In: DSN 2002 Proceedings of the 2002 International Conference on Dependable Systems and Networks, pp. 219–228 (2002)Google Scholar
  7. 7.
    Oka, M., Oyama, Y., Kato, K.: Eigen co-occurrence matrix method for masquerade detection. Publications of the Japan Society for Software Science and Technology(2004)Google Scholar
  8. 8.
    Szymanski, B.K., Zhang, Y.: Recursive data mining for masquerade detection and author identification. In: Information Assurance Workshop, pp. 424–431 (2004)Google Scholar
  9. 9.
    Rashid, T., Agrafiotis, I., Nurse, J.R.: A new take on detecting insider threats: exploring the use of hidden markov models. In: Proceedings of the 2016 International Workshop on Managing Insider Security Threats, pp. 47–56 (2016)Google Scholar
  10. 10.
    Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. In: Wireless Networks and Mobile Communications (WINCOM), pp. 258–263 (2016)Google Scholar
  11. 11.
    Veeramachaneni, K., Arnaldo, I., Korrapati, V., Bassias, C., Li, K.: AI2: training a big data machine to defend. In: IEEE International Conference on Big Data Security on Cloud HPSC, and IEEE International Conference on IDS, pp. 49–54 (2016)Google Scholar
  12. 12.
    Hinton, G.E., Srivastava, N., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.R.: Improving neural networks by preventing co-adaptation of feature detectors. arXiv preprint arXiv:1207.0580 (2012)
  13. 13.
    Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: Security and Privacy Workshops (SPW), pp. 98–104 (2013)Google Scholar
  14. 14.
    Zaremba, W., Sutskever, I., Vinyals, O.: Recurrent neural network regularization. arXiv preprint arXiv:1409.2329 (2014)
  15. 15.
    Kingma, D., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)
  16. 16.
    Theano Development Team, “Convolutional Neural Networks (LeNet)”.
  17. 17.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: International Conference on Dependable Systems and Networks, pp. 219–228 (2002)Google Scholar
  18. 18.
    Maxion, R.A., Townsend, T.N.: Masquerade detection augmented with error analysis. IEEE Trans. Reliab. 53(1), 124–147 (2004)CrossRefGoogle Scholar
  19. 19.
    Salem, M.B., Hershkop, S., Stolfo, S.J.: A survey of insider attack detection research. In: Insider Attack and Cyber Security, pp. 69–90 (2008)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Fangfang Yuan
    • 1
    • 2
    • 3
  • Yanan Cao
    • 1
    • 3
  • Yanmin Shang
    • 1
    • 3
  • Yanbing Liu
    • 1
    • 3
    Email author
  • Jianlong Tan
    • 1
    • 3
  • Binxing Fang
    • 4
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina
  3. 3.National Engineering Laboratory for Information Security TechnologiesBeijingChina
  4. 4.Institute of Electronic and Information Engineering of UESTC in GuangdongDongguanChina

Personalised recommendations