Abstract
Insider threat is an important cyber security issue for businesses and organizations. Existing insider threat detection methods can be roughly divided into two categories, statistical features based detection methods and action sequence based detection methods. The first kind of method aggregates all actions that a user has performed over one day and uses these aggregated features to find insider threat. This kind of coarse-grained analytics of user behavior may miss anomalous behavior happening within that day. The second kind of method overcomes the coarser-grained problem and uses fine-grained detection to identify insider threat through user actions. However, the second kind of method considers all user operations to be equally important, without highlighting malicious user actions. To solve this problem, we present an attention-based Long Short-Term Memory (LSTM) model to detect insider threat. In our model, we apply the LSTM to capture the sequential information of user action sequence and employ an attention layer that can learn which user actions contribute more to insider threat detection. Extensive studies are conducted on the public dataset of insider threat. Our results demonstrate that the proposed model outperforms other deep learning models and can successfully identify insider threat.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Costa, D.L., Albrethsen, M.J. Collins, M.L: Insider threat indicator ontology. Technical report, Carnegie-Mellon University, Pittsburgh, PA, United States (2016)
Azaria, A., Richardson, A., Kraus, S., Subrahmanian, V.S.: Behavioral analysis of insider threat: a survey and bootstrapped prediction in imbalanced data. IEEE Trans. Comput. Soc. Syst. 1(2), 135–155 (2014)
Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Workshops at the Thirty-First AAAI Conference on Artificial Intelligence (2017)
Yuan, F., Cao, Y., Shang, Y., Liu, Y., Tan, J., Fang, B.: Insider threat detection with deep neural network. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10860, pp. 43–54. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-93698-7_4
Schonlau, M., DuMouchel, W., Ju, W.-H., Karr, A.F., Theusan, M., Vardi, Y., et al.: Computer intrusion: detecting masquerades. Stat. Sci. 16(1), 58–74 (2001)
Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings International Conference on Dependable Systems and Networks, pp. 219–228. IEEE (2002)
Maxion, R.A.: Masquerade detection using enriched command lines. In: Proceedings of 2003 International Conference on Dependable Systems and Networks, pp. 5–14. IEEE (2003)
Oka, M., Oyama, Y., Kato, K.: Eigen co-occurrence matrix method for masquerade detection. Publications of the Japan Society for Software Science and Technology (2004)
Szymanski, B.K., Zhang, Y.: Recursive data mining for masquerade detection and author identification. In: 2004 Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 424–431. IEEE (2004)
Rashid, T., Agrafiotis, I., Nurse, J.R.C.: A new take on detecting insider threats: exploring the use of hidden markov models. In: Proceedings of the 8th ACM CCS International Workshop on Managing Insider Security Threats, pp. 47–56. ACM (2016)
Veeramachaneni, K., Arnaldo, I., Korrapati, V., Bassias, C., Li, K.: AI\(^2\): training a big data machine to defend. In: 2016 IEEE 2nd International Conference on Big Data Security on Cloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing (HPSC), and IEEE International Conference on Intelligent Data and Security (IDS), pp. 49–54. IEEE (2016)
Lu, J., Wong, R.K.: Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference, p. 1. ACM (2019)
Bengio, Y., Simard, P., Frasconi, P., et al.: Learning long-term dependencies with gradient descent is difficult. IEEE Trans. Neural Netw. 5(2), 157–166 (1994)
Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997)
Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops, pp. 98–104. IEEE (2013)
Al-Rfou, R., et al.: Theano: a python framework for fast computation of mathematical expressions. arXiv preprint arXiv:1605.02688 (2016)
Chollet, F., et al.: Keras: The python deep learning library. Astrophysics Source Code Library (2018)
Acknowledgement
This work was partly supported by the National Key Research and Development Program (Grant No. 2017YFC0820700), Strategic Priority Research Program of the Chinese Academy of Sciences under Grant No.XDC02030000, the National Natural Science Foundation of China under grant No. 61602466.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yuan, F., Shang, Y., Liu, Y., Cao, Y., Tan, J. (2019). Attention-Based LSTM for Insider Threat Detection. In: Shankar Sriram, V., Subramaniyaswamy, V., Sasikaladevi, N., Zhang, L., Batten, L., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2019. Communications in Computer and Information Science, vol 1116. Springer, Singapore. https://doi.org/10.1007/978-981-15-0871-4_15
Download citation
DOI: https://doi.org/10.1007/978-981-15-0871-4_15
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-0870-7
Online ISBN: 978-981-15-0871-4
eBook Packages: Computer ScienceComputer Science (R0)