Attention-Based LSTM for Insider Threat Detection

  • Fangfang Yuan
  • Yanmin Shang
  • Yanbing LiuEmail author
  • Yanan Cao
  • Jianlong Tan
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1116)


Insider threat is an important cyber security issue for businesses and organizations. Existing insider threat detection methods can be roughly divided into two categories, statistical features based detection methods and action sequence based detection methods. The first kind of method aggregates all actions that a user has performed over one day and uses these aggregated features to find insider threat. This kind of coarse-grained analytics of user behavior may miss anomalous behavior happening within that day. The second kind of method overcomes the coarser-grained problem and uses fine-grained detection to identify insider threat through user actions. However, the second kind of method considers all user operations to be equally important, without highlighting malicious user actions. To solve this problem, we present an attention-based Long Short-Term Memory (LSTM) model to detect insider threat. In our model, we apply the LSTM to capture the sequential information of user action sequence and employ an attention layer that can learn which user actions contribute more to insider threat detection. Extensive studies are conducted on the public dataset of insider threat. Our results demonstrate that the proposed model outperforms other deep learning models and can successfully identify insider threat.


Insider threat detection Recurrent Neural Network Anomaly detection Network security 



This work was partly supported by the National Key Research and Development Program (Grant No. 2017YFC0820700), Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No.XDC02030000, the National Natural Science Foundation of China under grant No. 61602466.


  1. 1.
    Costa, D.L., Albrethsen, M.J. Collins, M.L: Insider threat indicator ontology. Technical report, Carnegie-Mellon University, Pittsburgh, PA, United States (2016)Google Scholar
  2. 2.
    Azaria, A., Richardson, A., Kraus, S., Subrahmanian, V.S.: Behavioral analysis of insider threat: a survey and bootstrapped prediction in imbalanced data. IEEE Trans. Comput. Soc. Syst. 1(2), 135–155 (2014)CrossRefGoogle Scholar
  3. 3.
    Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Workshops at the Thirty-First AAAI Conference on Artificial Intelligence (2017)Google Scholar
  4. 4.
    Yuan, F., Cao, Y., Shang, Y., Liu, Y., Tan, J., Fang, B.: Insider threat detection with deep neural network. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10860, pp. 43–54. Springer, Cham (2018). Scholar
  5. 5.
    Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theusan, M., Vardi, Y., et al.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings International Conference on Dependable Systems and Networks, pp. 219–228. IEEE (2002)Google Scholar
  7. 7.
    Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of 2003 International Conference on Dependable Systems and Networks, pp. 5–14. IEEE (2003)Google Scholar
  8. 8.
    Oka, M., Oyama, Y., Kato, K.: Eigen co-occurrence matrix method for masquerade detection. Publications of the Japan Society for Software Science and Technology (2004)Google Scholar
  9. 9.
    Szymanski, B.K., Zhang, Y.: Recursive data mining for masquerade detection and author identification. In: 2004 Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 424–431. IEEE (2004)Google Scholar
  10. 10.
    Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, pp. 47–56. ACM (2016)Google Scholar
  11. 11.
    Veeramachaneni, K., Arnaldo, I., Korrapati, V., Bassias, C., Li, K.: AI\(^2\): training a big data machine to defend. In: 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 49–54. IEEE (2016)Google Scholar
  12. 12.
    Lu, J., Wong, R.K.: Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference, p. 1. ACM (2019)Google Scholar
  13. 13.
    Bengio, Y., Simard, P., Frasconi, P., et al.: Learning long-term dependencies with gradient descent is difficult. IEEE Trans. Neural Netw. 5(2), 157–166 (1994)CrossRefGoogle Scholar
  14. 14.
    Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)CrossRefGoogle Scholar
  15. 15.
    Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops, pp. 98–104. IEEE (2013)Google Scholar
  16. 16.
    Al-Rfou, R., et al.: Theano: a python framework for fast computation of mathematical expressions. arXiv preprint arXiv:1605.02688 (2016)
  17. 17.
    Chollet, F., et al.: Keras: The python deep learning library. Astrophysics Source Code Library (2018)Google Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  • Fangfang Yuan
    • 1
    • 2
  • Yanmin Shang
    • 1
  • Yanbing Liu
    • 1
    Email author
  • Yanan Cao
    • 1
  • Jianlong Tan
    • 1
  1. 1.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  2. 2.School of Cyber SecurityUniversity of Chinese Academy of SciencesBeijingChina

Personalised recommendations