TY - JOUR
T1 - Insider threat detection based on user behavior modeling and anomaly detection algorithms
AU - Kim, Junhong
AU - Park, Minsik
AU - Kim, Haedong
AU - Cho, Suhyoun
AU - Kang, Pilsung
N1 - Funding Information:
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2019R1F1A1060338) and Korea Electric Power Corporation (Grant number: R18XA05).
PY - 2019/10/1
Y1 - 2019/10/1
N2 - Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.
AB - Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.
KW - Anomaly detection
KW - Behavioral model
KW - E-mail network
KW - Insider threat detection
KW - Latent dirichlet allocation
KW - Machine learning
UR - http://www.scopus.com/inward/record.url?scp=85073279165&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85073279165&partnerID=8YFLogxK
U2 - 10.3390/app9194018
DO - 10.3390/app9194018
M3 - Article
AN - SCOPUS:85073279165
VL - 9
JO - Applied Sciences (Switzerland)
JF - Applied Sciences (Switzerland)
SN - 2076-3417
IS - 19
M1 - 4018
ER -