Multi-Granularity User Anomalous Behavior Detection
Insider threats pose significant risks to organizational security, often going undetected due to their familiarity with the systems. Detection of insider threats faces challenges of imbalanced data distributions and difficulties in fine-grained detection. Specifically, anomalous users and anomalous...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2024-12-01
|
| Series: | Applied Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2076-3417/15/1/128 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841549447299858432 |
|---|---|
| author | Wenying Feng Yu Cao Yilu Chen Ye Wang Ning Hu Yan Jia Zhaoquan Gu |
| author_facet | Wenying Feng Yu Cao Yilu Chen Ye Wang Ning Hu Yan Jia Zhaoquan Gu |
| author_sort | Wenying Feng |
| collection | DOAJ |
| description | Insider threats pose significant risks to organizational security, often going undetected due to their familiarity with the systems. Detection of insider threats faces challenges of imbalanced data distributions and difficulties in fine-grained detection. Specifically, anomalous users and anomalous behaviors take up a very small fraction of all insider behavior data, making precise detection of anomalous users challenging. Moreover, not all behaviors of anomalous users are anomalous, so it is difficult to detect their behaviors by standardizing with single rules or models. To address these challenges, this paper presents a novel approach for insider threat detection, leveraging machine learning techniques to conduct multi-granularity anomaly detection. We introduce the Multi-Granularity User Anomalous Behavior Detection (MG-UABD) system, which combines coarse-grained and fine-grained anomaly detection to improve the accuracy and effectiveness of detecting anomalous behaviors. The coarse-grained module screens all of the user activities to identify potential anomalies, while the fine-grained module focuses on specific anomalous users to refine the detection process. Besides, MG-UABD employs a combination of oversampling and undersampling techniques to address the imbalance in the datasets, ensuring robust model performance. Through extensive experimentation on the commonly used dataset CERT R4.2, we demonstrate that the MG-UABD system achieves superior detection rate and precision. Compared to the suboptimal model, the accuracy has increased by 3.1% and the detection rate has increased by 4.1%. Our findings suggest that a multi-granularity approach for anomaly detection, combined with tailored sampling strategies, is highly effective in addressing insider threats. |
| format | Article |
| id | doaj-art-6f94fc4833474a9d81a8f88edad5d09e |
| institution | Kabale University |
| issn | 2076-3417 |
| language | English |
| publishDate | 2024-12-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Applied Sciences |
| spelling | doaj-art-6f94fc4833474a9d81a8f88edad5d09e2025-01-10T13:14:32ZengMDPI AGApplied Sciences2076-34172024-12-0115112810.3390/app15010128Multi-Granularity User Anomalous Behavior DetectionWenying Feng0Yu Cao1Yilu Chen2Ye Wang3Ning Hu4Yan Jia5Zhaoquan Gu6Department of New Networks, Pengcheng Laboratory, Shenzhen 518055, ChinaSchool of Computer Science and Technology, Harbin Institute of Technology (Shenzhen), Shenzhen 518055, ChinaSchool of Computer Science and Technology, Harbin Institute of Technology (Shenzhen), Shenzhen 518055, ChinaDepartment of New Networks, Pengcheng Laboratory, Shenzhen 518055, ChinaDepartment of New Networks, Pengcheng Laboratory, Shenzhen 518055, ChinaDepartment of New Networks, Pengcheng Laboratory, Shenzhen 518055, ChinaDepartment of New Networks, Pengcheng Laboratory, Shenzhen 518055, ChinaInsider threats pose significant risks to organizational security, often going undetected due to their familiarity with the systems. Detection of insider threats faces challenges of imbalanced data distributions and difficulties in fine-grained detection. Specifically, anomalous users and anomalous behaviors take up a very small fraction of all insider behavior data, making precise detection of anomalous users challenging. Moreover, not all behaviors of anomalous users are anomalous, so it is difficult to detect their behaviors by standardizing with single rules or models. To address these challenges, this paper presents a novel approach for insider threat detection, leveraging machine learning techniques to conduct multi-granularity anomaly detection. We introduce the Multi-Granularity User Anomalous Behavior Detection (MG-UABD) system, which combines coarse-grained and fine-grained anomaly detection to improve the accuracy and effectiveness of detecting anomalous behaviors. The coarse-grained module screens all of the user activities to identify potential anomalies, while the fine-grained module focuses on specific anomalous users to refine the detection process. Besides, MG-UABD employs a combination of oversampling and undersampling techniques to address the imbalance in the datasets, ensuring robust model performance. Through extensive experimentation on the commonly used dataset CERT R4.2, we demonstrate that the MG-UABD system achieves superior detection rate and precision. Compared to the suboptimal model, the accuracy has increased by 3.1% and the detection rate has increased by 4.1%. Our findings suggest that a multi-granularity approach for anomaly detection, combined with tailored sampling strategies, is highly effective in addressing insider threats.https://www.mdpi.com/2076-3417/15/1/128insider threat detectionUEBAanomaly detectionrandom forest |
| spellingShingle | Wenying Feng Yu Cao Yilu Chen Ye Wang Ning Hu Yan Jia Zhaoquan Gu Multi-Granularity User Anomalous Behavior Detection Applied Sciences insider threat detection UEBA anomaly detection random forest |
| title | Multi-Granularity User Anomalous Behavior Detection |
| title_full | Multi-Granularity User Anomalous Behavior Detection |
| title_fullStr | Multi-Granularity User Anomalous Behavior Detection |
| title_full_unstemmed | Multi-Granularity User Anomalous Behavior Detection |
| title_short | Multi-Granularity User Anomalous Behavior Detection |
| title_sort | multi granularity user anomalous behavior detection |
| topic | insider threat detection UEBA anomaly detection random forest |
| url | https://www.mdpi.com/2076-3417/15/1/128 |
| work_keys_str_mv | AT wenyingfeng multigranularityuseranomalousbehaviordetection AT yucao multigranularityuseranomalousbehaviordetection AT yiluchen multigranularityuseranomalousbehaviordetection AT yewang multigranularityuseranomalousbehaviordetection AT ninghu multigranularityuseranomalousbehaviordetection AT yanjia multigranularityuseranomalousbehaviordetection AT zhaoquangu multigranularityuseranomalousbehaviordetection |