Insider threat detection based on operational attention and data augmentation
In recent years, there has been an increased focus on the issue of insider threats.Insider threats are a major cause security breaches in organizations and pose an ongoing challenge.By analyzing the existing insider threat data, it was identified that the biggest challenge in insider threat detectio...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2023-06-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2023042 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841529631620988928 |
|---|---|
| author | Guanyun FENG Cai FU Jianqiang LYU Lansheng HAN |
| author_facet | Guanyun FENG Cai FU Jianqiang LYU Lansheng HAN |
| author_sort | Guanyun FENG |
| collection | DOAJ |
| description | In recent years, there has been an increased focus on the issue of insider threats.Insider threats are a major cause security breaches in organizations and pose an ongoing challenge.By analyzing the existing insider threat data, it was identified that the biggest challenge in insider threat detection lies in data imbalance and the limited number of labeled threat samples.In the Cert R4.2 dataset, which is a classic dataset for insider threat detection, there are over 3.22 million log data, but only 7,423 are marked as malicious operation logs.Furthermore, most of the operation types in the logs are not related to malicious behavior, and only two types of operations are highly correlated with malicious behavior, such as leaking company data, creating interference in the detection process.To address this challenge, a data processing framework was designed based on operational attention and data augmentation.Anomaly evaluation was first performed on operations by the framework, and operations with low anomaly scores were then masked.This makes the model better focus on operations related to malicious behavior, which can be considered as a hard attention mechanism for operations.Next, the characteristics of the insider threat dataset were analyzed, and three rules were designed for data augmentation on malicious samples to increase the diversity of samples and alleviate the substantial imbalance between positive and negative samples.Supervised insider threat detection was regarded as a time-series classification problem.Residual connections were added to the LSTM-FCN model to achieve multi-granularity detection, and indicators such as precision rate and recall rate were used to evaluate the model.The results indicate superior performance over existing baseline models.Moreover, the data processing framework was implemented on various classic models, such as ITD-Bert and TextCNN, and the results show that the methods effectively improve the performance of insider threat detection models. |
| format | Article |
| id | doaj-art-9fd211b7fc6b46ad82be7168c78fcf27 |
| institution | Kabale University |
| issn | 2096-109X |
| language | English |
| publishDate | 2023-06-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj-art-9fd211b7fc6b46ad82be7168c78fcf272025-01-15T03:16:38ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2023-06-01910211259578380Insider threat detection based on operational attention and data augmentationGuanyun FENGCai FUJianqiang LYULansheng HANIn recent years, there has been an increased focus on the issue of insider threats.Insider threats are a major cause security breaches in organizations and pose an ongoing challenge.By analyzing the existing insider threat data, it was identified that the biggest challenge in insider threat detection lies in data imbalance and the limited number of labeled threat samples.In the Cert R4.2 dataset, which is a classic dataset for insider threat detection, there are over 3.22 million log data, but only 7,423 are marked as malicious operation logs.Furthermore, most of the operation types in the logs are not related to malicious behavior, and only two types of operations are highly correlated with malicious behavior, such as leaking company data, creating interference in the detection process.To address this challenge, a data processing framework was designed based on operational attention and data augmentation.Anomaly evaluation was first performed on operations by the framework, and operations with low anomaly scores were then masked.This makes the model better focus on operations related to malicious behavior, which can be considered as a hard attention mechanism for operations.Next, the characteristics of the insider threat dataset were analyzed, and three rules were designed for data augmentation on malicious samples to increase the diversity of samples and alleviate the substantial imbalance between positive and negative samples.Supervised insider threat detection was regarded as a time-series classification problem.Residual connections were added to the LSTM-FCN model to achieve multi-granularity detection, and indicators such as precision rate and recall rate were used to evaluate the model.The results indicate superior performance over existing baseline models.Moreover, the data processing framework was implemented on various classic models, such as ITD-Bert and TextCNN, and the results show that the methods effectively improve the performance of insider threat detection models.http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2023042Insider threat detectionhard attentiondata augmentationneural network |
| spellingShingle | Guanyun FENG Cai FU Jianqiang LYU Lansheng HAN Insider threat detection based on operational attention and data augmentation 网络与信息安全学报 Insider threat detection hard attention data augmentation neural network |
| title | Insider threat detection based on operational attention and data augmentation |
| title_full | Insider threat detection based on operational attention and data augmentation |
| title_fullStr | Insider threat detection based on operational attention and data augmentation |
| title_full_unstemmed | Insider threat detection based on operational attention and data augmentation |
| title_short | Insider threat detection based on operational attention and data augmentation |
| title_sort | insider threat detection based on operational attention and data augmentation |
| topic | Insider threat detection hard attention data augmentation neural network |
| url | http://www.cjnis.com.cn/thesisDetails#10.11959/j.issn.2096-109x.2023042 |
| work_keys_str_mv | AT guanyunfeng insiderthreatdetectionbasedonoperationalattentionanddataaugmentation AT caifu insiderthreatdetectionbasedonoperationalattentionanddataaugmentation AT jianqianglyu insiderthreatdetectionbasedonoperationalattentionanddataaugmentation AT lanshenghan insiderthreatdetectionbasedonoperationalattentionanddataaugmentation |