Attention-Based LSTM for Insider Threat Detection
Insider threat is an important cyber security issue for businesses and organizations. Existing insider threat detection methods can be roughly divided into two categories, statistical features based detection methods and action sequence based detection methods. The first kind of method aggregates all actions that a user has performed over one day and uses these aggregated features to find insider threat. This kind of coarse-grained analytics of user behavior may miss anomalous behavior happening within that day. The second kind of method overcomes the coarser-grained problem and uses fine-grained detection to identify insider threat through user actions. However, the second kind of method considers all user operations to be equally important, without highlighting malicious user actions. To solve this problem, we present an attention-based Long Short-Term Memory (LSTM) model to detect insider threat. In our model, we apply the LSTM to capture the sequential information of user action sequence and employ an attention layer that can learn which user actions contribute more to insider threat detection. Extensive studies are conducted on the public dataset of insider threat. Our results demonstrate that the proposed model outperforms other deep learning models and can successfully identify insider threat.
KeywordsInsider threat detection Recurrent Neural Network Anomaly detection Network security
This work was partly supported by the National Key Research and Development Program (Grant No. 2017YFC0820700), Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No.XDC02030000, the National Natural Science Foundation of China under grant No. 61602466.
- 1.Costa, D.L., Albrethsen, M.J. Collins, M.L: Insider threat indicator ontology. Technical report, Carnegie-Mellon University, Pittsburgh, PA, United States (2016)Google Scholar
- 3.Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Workshops at the Thirty-First AAAI Conference on Artificial Intelligence (2017)Google Scholar
- 6.Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings International Conference on Dependable Systems and Networks, pp. 219–228. IEEE (2002)Google Scholar
- 7.Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of 2003 International Conference on Dependable Systems and Networks, pp. 5–14. IEEE (2003)Google Scholar
- 8.Oka, M., Oyama, Y., Kato, K.: Eigen co-occurrence matrix method for masquerade detection. Publications of the Japan Society for Software Science and Technology (2004)Google Scholar
- 9.Szymanski, B.K., Zhang, Y.: Recursive data mining for masquerade detection and author identification. In: 2004 Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 424–431. IEEE (2004)Google Scholar
- 10.Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, pp. 47–56. ACM (2016)Google Scholar
- 11.Veeramachaneni, K., Arnaldo, I., Korrapati, V., Bassias, C., Li, K.: AI\(^2\): training a big data machine to defend. In: 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 49–54. IEEE (2016)Google Scholar
- 12.Lu, J., Wong, R.K.: Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference, p. 1. ACM (2019)Google Scholar
- 15.Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops, pp. 98–104. IEEE (2013)Google Scholar
- 16.Al-Rfou, R., et al.: Theano: a python framework for fast computation of mathematical expressions. arXiv preprint arXiv:1605.02688 (2016)
- 17.Chollet, F., et al.: Keras: The python deep learning library. Astrophysics Source Code Library (2018)Google Scholar