Advanced insider threat detection model to apply periodic work atmosphere

Junhyoung Oh, Tae Ho Kim, Kyung Ho Lee

Research output: Contribution to journalArticle

Abstract

We developed an insider threat detection model to be used by organizations that repeat tasks at regular intervals. The model identifies the best combination of different feature selection algorithms, unsupervised learning algorithms, and standard scores. We derive a model specifically optimized for the organization by evaluating each combination in terms of accuracy, AUC (Area Under the Curve), and TPR (True Positive Rate). In order to validate this model, a four-year log was applied to the system handling sensitive information from public institutions. In the research target system, the user log was analyzed monthly based on the fact that the business process is processed at a cycle of one year, and the roles are determined for each person in charge. In order to classify the behavior of a user as abnormal, the standard scores of each organization were calculated and classified as abnormal when they exceeded certain thresholds. Using this method, we proposed an optimized model for the organization and verified it.

Original languageEnglish
Pages (from-to)1722-1737
Number of pages16
JournalKSII Transactions on Internet and Information Systems
Volume13
Issue number3
DOIs
Publication statusPublished - 2019 Mar 31

Fingerprint

Unsupervised learning
Learning algorithms
Feature extraction
Industry

Keywords

  • Insider threat detection
  • Machine learning
  • Privacy behavior
  • Security
  • Unsupervised learning

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications

Cite this

Advanced insider threat detection model to apply periodic work atmosphere. / Oh, Junhyoung; Kim, Tae Ho; Lee, Kyung Ho.

In: KSII Transactions on Internet and Information Systems, Vol. 13, No. 3, 31.03.2019, p. 1722-1737.

Research output: Contribution to journalArticle

@article{a7fc931a7bd242c9b92251af9dbaf455,
title = "Advanced insider threat detection model to apply periodic work atmosphere",
abstract = "We developed an insider threat detection model to be used by organizations that repeat tasks at regular intervals. The model identifies the best combination of different feature selection algorithms, unsupervised learning algorithms, and standard scores. We derive a model specifically optimized for the organization by evaluating each combination in terms of accuracy, AUC (Area Under the Curve), and TPR (True Positive Rate). In order to validate this model, a four-year log was applied to the system handling sensitive information from public institutions. In the research target system, the user log was analyzed monthly based on the fact that the business process is processed at a cycle of one year, and the roles are determined for each person in charge. In order to classify the behavior of a user as abnormal, the standard scores of each organization were calculated and classified as abnormal when they exceeded certain thresholds. Using this method, we proposed an optimized model for the organization and verified it.",
keywords = "Insider threat detection, Machine learning, Privacy behavior, Security, Unsupervised learning",
author = "Junhyoung Oh and Kim, {Tae Ho} and Lee, {Kyung Ho}",
year = "2019",
month = "3",
day = "31",
doi = "10.3837/tiis.2019.03.035",
language = "English",
volume = "13",
pages = "1722--1737",
journal = "KSII Transactions on Internet and Information Systems",
issn = "1976-7277",
publisher = "Korea Society of Internet Information",
number = "3",

}

TY - JOUR

T1 - Advanced insider threat detection model to apply periodic work atmosphere

AU - Oh, Junhyoung

AU - Kim, Tae Ho

AU - Lee, Kyung Ho

PY - 2019/3/31

Y1 - 2019/3/31

N2 - We developed an insider threat detection model to be used by organizations that repeat tasks at regular intervals. The model identifies the best combination of different feature selection algorithms, unsupervised learning algorithms, and standard scores. We derive a model specifically optimized for the organization by evaluating each combination in terms of accuracy, AUC (Area Under the Curve), and TPR (True Positive Rate). In order to validate this model, a four-year log was applied to the system handling sensitive information from public institutions. In the research target system, the user log was analyzed monthly based on the fact that the business process is processed at a cycle of one year, and the roles are determined for each person in charge. In order to classify the behavior of a user as abnormal, the standard scores of each organization were calculated and classified as abnormal when they exceeded certain thresholds. Using this method, we proposed an optimized model for the organization and verified it.

AB - We developed an insider threat detection model to be used by organizations that repeat tasks at regular intervals. The model identifies the best combination of different feature selection algorithms, unsupervised learning algorithms, and standard scores. We derive a model specifically optimized for the organization by evaluating each combination in terms of accuracy, AUC (Area Under the Curve), and TPR (True Positive Rate). In order to validate this model, a four-year log was applied to the system handling sensitive information from public institutions. In the research target system, the user log was analyzed monthly based on the fact that the business process is processed at a cycle of one year, and the roles are determined for each person in charge. In order to classify the behavior of a user as abnormal, the standard scores of each organization were calculated and classified as abnormal when they exceeded certain thresholds. Using this method, we proposed an optimized model for the organization and verified it.

KW - Insider threat detection

KW - Machine learning

KW - Privacy behavior

KW - Security

KW - Unsupervised learning

UR - http://www.scopus.com/inward/record.url?scp=85065568630&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85065568630&partnerID=8YFLogxK

U2 - 10.3837/tiis.2019.03.035

DO - 10.3837/tiis.2019.03.035

M3 - Article

AN - SCOPUS:85065568630

VL - 13

SP - 1722

EP - 1737

JO - KSII Transactions on Internet and Information Systems

JF - KSII Transactions on Internet and Information Systems

SN - 1976-7277

IS - 3

ER -