Insider threat detection based on user behavior modeling and anomaly detection algorithms

Junhong Kim, Minsik Park, Haedong Kim, Suhyoun Cho, Pilsung Kang

Research output: Contribution to journalArticle

Abstract

Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.

Original languageEnglish
Article number4018
JournalApplied Sciences (Switzerland)
Volume9
Issue number19
DOIs
Publication statusPublished - 2019 Oct 1

Fingerprint

electronic mail
anomalies
Intellectual property
sabotage
intellectual property
Communication
attack
communication
histories
damage
causes

Keywords

  • Anomaly detection
  • Behavioral model
  • E-mail network
  • Insider threat detection
  • Latent dirichlet allocation
  • Machine learning

ASJC Scopus subject areas

  • Materials Science(all)
  • Instrumentation
  • Engineering(all)
  • Process Chemistry and Technology
  • Computer Science Applications
  • Fluid Flow and Transfer Processes

Cite this

Insider threat detection based on user behavior modeling and anomaly detection algorithms. / Kim, Junhong; Park, Minsik; Kim, Haedong; Cho, Suhyoun; Kang, Pilsung.

In: Applied Sciences (Switzerland), Vol. 9, No. 19, 4018, 01.10.2019.

Research output: Contribution to journalArticle

Kim, J, Park, M, Kim, H, Cho, S & Kang, P 2019, 'Insider threat detection based on user behavior modeling and anomaly detection algorithms', Applied Sciences (Switzerland), vol. 9, no. 19, 4018. https://doi.org/10.3390/app9194018
Kim J, Park M, Kim H, Cho S, Kang P. Insider threat detection based on user behavior modeling and anomaly detection algorithms. Applied Sciences (Switzerland). 2019 Oct 1;9(19). 4018. https://doi.org/10.3390/app9194018
Kim, Junhong ; Park, Minsik ; Kim, Haedong ; Cho, Suhyoun ; Kang, Pilsung. / Insider threat detection based on user behavior modeling and anomaly detection algorithms. In: Applied Sciences (Switzerland). 2019 ; Vol. 9, No. 19.
@article{2d98af3edab3428687b4134ef022fe50,
title = "Insider threat detection based on user behavior modeling and anomaly detection algorithms",
abstract = "Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.",
keywords = "Anomaly detection, Behavioral model, E-mail network, Insider threat detection, Latent dirichlet allocation, Machine learning",
author = "Junhong Kim and Minsik Park and Haedong Kim and Suhyoun Cho and Pilsung Kang",
year = "2019",
month = "10",
day = "1",
doi = "10.3390/app9194018",
language = "English",
volume = "9",
journal = "Applied Sciences (Switzerland)",
issn = "2076-3417",
publisher = "Multidisciplinary Digital Publishing Institute",
number = "19",

}

TY - JOUR

T1 - Insider threat detection based on user behavior modeling and anomaly detection algorithms

AU - Kim, Junhong

AU - Park, Minsik

AU - Kim, Haedong

AU - Cho, Suhyoun

AU - Kang, Pilsung

PY - 2019/10/1

Y1 - 2019/10/1

N2 - Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.

AB - Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.

KW - Anomaly detection

KW - Behavioral model

KW - E-mail network

KW - Insider threat detection

KW - Latent dirichlet allocation

KW - Machine learning

UR - http://www.scopus.com/inward/record.url?scp=85073279165&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85073279165&partnerID=8YFLogxK

U2 - 10.3390/app9194018

DO - 10.3390/app9194018

M3 - Article

AN - SCOPUS:85073279165

VL - 9

JO - Applied Sciences (Switzerland)

JF - Applied Sciences (Switzerland)

SN - 2076-3417

IS - 19

M1 - 4018

ER -

Access to Document