Insider Threat Detection Based on User Behaviour Analysis

  • Malvika SinghEmail author
  • B. M. MehtreEmail author
  • S. SangeethaEmail author
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1241)


Insider threat detection is a major challenge for security in organizations. They are the employees/users of an organization, posing threat to it by performing any malicious activity. Existing methods to detect insider threats are based on psycho-physiological factors, statistical analysis, machine learning and deep learning methods. They are based on predefined rules or stored signatures and fail to detect new or unknown attacks. To overcome some of the limitations of the existing methods, we propose behaviour based insider threat detection method. The behaviour is characterized by user activity (such as logon-logoff, device connect-disconnect, file-access, http-url-requests, email activity). Isometric Feature Mapping (ISOMAP) is used for feature extraction and Emperor Penguin Algorithm is used for optimal feature selection. The features include time based features (time at which a particular activity is performed) and frequency based features (number of times a particular activity is performed). Finally, a Multi-fuzzy-classifier is used with three inference engines F1, F2, F3, to classify users as normal or malicious. The proposed method is tested using CMU-CERT insider threat dataset for its performance. The proposed method outperforms on the following metrics: accuracy, precision, recall, f-measure, and AUC-ROC parameters. The insider threat detection results show a significant improvement over existing methods.


Insider threat detection User behaviour analysis Isometric Feature Mapping (ISOMAP) Time based features Frequency based features Emperor Penguin Algorithm (EPA) Multi-fuzzy-classifier 


  1. 1.
    Insua, D.R., et al.: An Adversarial Risk Analysis Framework for Cybersecurity. Risk Analysis, Wiley Periodicals (2019). arXiv preprint arXiv:1903.07727
  2. 2.
    Al-mhiqan, M.N., et al.: New insider threat detection method based on recurrent neural networks. 17(3), 1474–1479 (2020)Google Scholar
  3. 3.
    Lu, J., Wong, R.K.: Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference, pp. 1–10 (2019)Google Scholar
  4. 4.
    Yuan, F., Cao, Y., Shang, Y., Liu, Y., Tan, J., Fang, B.: Insider threat detection with deep neural network. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10860, pp. 43–54. Springer, Cham (2018). CrossRefGoogle Scholar
  5. 5.
    Yamin, M.M., Katt, B., Sattar, K., Ahmad, M.B.: Implementation of insider threat detection system using honeypot based sensors and threat analytics. In: Arai, K., Bhatia, R. (eds.) FICC 2019. LNNS, vol. 70, pp. 801–829. Springer, Cham (2020). Scholar
  6. 6.
    Almehmadi, A.: Micromovement behavior as an intention detection measurement for preventing insider threats. IEEE Access 6, 40626–40637 (2018)CrossRefGoogle Scholar
  7. 7.
    Chattopadhyay, P., Wang, L., Tan, Y.-P.: Scenario-based insider threat detection from cyber activities. IEEE Trans. Comput. Soc. Syst. 5(3), 660–675 (2018)CrossRefGoogle Scholar
  8. 8.
    Lo, O., Buchanan, W.J., Griffiths, P., Macfarlane, R.: Distance measurement methods for improved insider threat detection. Security and Communication Networks (2018)Google Scholar
  9. 9.
    Lv, B., Wang, D., Wang, Y., Lv, Q., Lu, D.: A hybrid model based on multi-dimensional features for insider threat detection. In: Chellappan, S., Cheng, W., Li, W. (eds.) WASA 2018. LNCS, vol. 10874, pp. 333–344. Springer, Cham (2018). Scholar
  10. 10.
    Kim, J., Park, M., Kim, H., Cho, S., Kang, P.: Insider threat detection based on user behavior modeling and anomaly detection algorithms. Appl. Sci. 9(19), 4018 (2019)CrossRefGoogle Scholar
  11. 11.
    Böse, B., Avasarala, B., Tirthapura, S., Chung, Y.-Y., Steiner, D.: Detecting insider threats using radish: a system for real-time anomaly detection in heterogeneous data streams. IEEE Syst. J. 11(2), 471–482 (2017)CrossRefGoogle Scholar
  12. 12.
    Legg, P.A., Buckley, O., Goldsmith, M., Creese, S.: Automated insider threat detection system using user and role-based profile assessment. IEEE Syst. J. 11(2), 503–512 (2015)CrossRefGoogle Scholar
  13. 13.
    Singh, M., Mehtre, B.M., Sangeetha, S.: User behavior profiling using ensemble approach for insider threat detection. In: 2019 IEEE 5th International Conference on Identity, Security, and Behavior Analysis (ISBA), pp. 1–8 (2019)Google Scholar
  14. 14.
    Insider Threat Dataset, Software Engineering Institute, Carnegie Mellon University.
  15. 15.
    Leslie, N.O., Harang, R.E., Knachel, L.P., Kott, A.: Statistical models for the number of successful cyber intrusions. J. Defen. Model. Simul. 15(1), 49–63 (2018)CrossRefGoogle Scholar
  16. 16.
    Xin, Y., Kong, L., Liu, Z., Chen, Y., Li, Y., Zhu, H., Gao, M., Hou, H., Wang, C.: Machine learning and deep learning methods for cybersecurity. IEEE Access 6, 35365–35381 (2018)CrossRefGoogle Scholar
  17. 17.
  18. 18.
    Iranmanesh, S.M., Mohammadi, M., Akbari, A., Nassersharif, B.: Improving detection rate in intrusion detection systems using FCM clustering to select meaningful landmarks in incremental landmark isomap algorithm. In: Zhou, Q. (ed.) ICTMF 2011. CCIS, vol. 164, pp. 46–53. Springer, Heidelberg (2011). Scholar
  19. 19.
    Xu, X., Tao, C.: ISOMAP algorithm-based feature extraction for electromechanical equipment fault prediction. In: IEEE 2nd International Congress on Image and Signal Processing, pp. 1–4 (2009)Google Scholar
  20. 20.
    Zheng, K., Xu, Q., Yu, Z., Jia, L.: Intrusion detection using ISOMAP and support vector machine. In: IEEE International Conference on Artificial Intelligence and Computational Intelligence, vol. 3, pp. 235–239 (2009)Google Scholar
  21. 21.
    Dhiman, G., Kumar, V.: Emperor penguin optimizer: a bio-inspired algorithm for engineering problems. Knowl.-Based Syst. 159, 20–50 (2018)CrossRefGoogle Scholar
  22. 22.

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  1. 1.Centre of Excellence in Cyber Security, Institute for Development and Research in Banking TechnologyEstablished by Reserve bank of IndiaHyderabadIndia
  2. 2.Department of Computer ApplicationsNational Institute of TechnologyTiruchirappalliIndia

Personalised recommendations