Insider threat detection for specific threat scenarios

Insider threat detection for specific threat scenarios

Abstract Insider threats pose significant challenges to network security due to their destructive and covert nature, often resulting in substantial losses for enterprises. Traditional methods mainly analyze user behavior patterns or convert behaviors into time sequences for further analysis. However...

Full description

Saved in:
Bibliographic Details
Main Authors: Tian Tian, Chen Zhang, Bo Jiang, Huamin Feng, Zhigang Lu
Format: Article
Language:English
Published: SpringerOpen 2025-03-01
Series:Cybersecurity
Subjects:
Insider threat
Specific threat scenarios
Multi-attention mechanism
Behavior sequences
User behavior patterns
Online Access:https://doi.org/10.1186/s42400-024-00321-w
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Abstract Insider threats pose significant challenges to network security due to their destructive and covert nature, often resulting in substantial losses for enterprises. Traditional methods mainly analyze user behavior patterns or convert behaviors into time sequences for further analysis. However, existing detection methods primarily focus on identifying abnormal users or behaviors, lacking the capability to pinpoint specific threats. Additionally, these methods struggle to accurately identify long-distance dependencies in behavior sequences, frequently increasing false positives. To address these issues, we introduce a scenario-oriented insider threat detection model. This model targets three specific threat scenarios-privilege abuse, identity theft, and data leakage-by analyzing user behavior patterns, extracting detailed behavioral characteristics, and constructing behavior sequences. Firstly, this paper serializes user behavior daily and vectorizes it using one-hot encoding. Then, it introduces contextual characteristic information and reconstructs the background of abnormal behavior through behavior vectorization, providing a comprehensive description of user behavior characteristics. This approach addresses the issue of behavior isolation, thereby improving the accuracy and robustness of anomaly detection. Subsequently, a time series analysis model based on a multi-head attention mechanism is employed to analyze long-distance dependencies in behavior sequences. The multi-head attention mechanism simultaneously attends to multiple positions in the behavior sequence, capturing potential correlations between behaviors and user behavior patterns. This mechanism can analyze local information and obtain long-distance dependencies, providing depth feature representation for anomaly detection. Ultimately, we achieve the goal of classifying abnormal behavior sequences. We conduct comprehensive tests on the CERT dataset, demonstrating that our method outperforms traditional deep learning approaches (LSTM, GNN, and GCN) in detecting abnormal sequences. Compared to the best results among the baseline methods, it shows an improvement in accuracy of approximately 2% for privilege abuse, 5% for identity theft, and 2% for data leakage.
ISSN:2523-3246

Similar Items