Insider threat detection approach for tobacco industry based on heterogeneous graph embedding

In the tobacco industry,insider employee attack is a thorny problem that is difficult to detect.To solve this issue,this paper proposes an insider threat detection method based on heterogeneous graph embedding.First,the interrelationships between logs are fully considered,and log entries are converted into heterogeneous graphs based on these relationships.Second,the heterogeneous graph embedding is adopted and each log entry is represented as a low-dimensional feature vector.Then,normal logs and malicious logs are classified into different clusters by clustering algorithm to identify malicious logs.Finally,the effectiveness and superiority of the method is verified through experiments on the CERT dataset.The experimental results show that this method has better performance compared to some baseline methods.

Anomaly Detection Based on Discrete Wavelet Transformation for Insider Threat Classification

Unlike external attacks,insider threats arise from legitimate users who belong to the organization.These individuals may be a potential threat for hostile behavior depending on their motives.For insider detection,many intrusion detection systems learn and prevent known scenarios,but because malicious behavior has similar patterns to normal behavior,in reality,these systems can be evaded.Furthermore,because insider threats share a feature space similar to normal behavior,identifying them by detecting anomalies has limitations.This study proposes an improved anomaly detection methodology for insider threats that occur in cybersecurity in which a discrete wavelet transformation technique is applied to classify normal vs.malicious users.The discrete wavelet transformation technique easily discovers new patterns or decomposes synthesized data,making it possible to distinguish between shared characteristics.To verify the efficacy of the proposed methodology,experiments were conducted in which normal users and malicious users were classified based on insider threat scenarios provided in Carnegie Mellon University’s Computer Emergency Response Team(CERT)dataset.The experimental results indicate that the proposed methodology with discrete wavelet transformation reduced the false-positive rate by 82%to 98%compared to the case with no wavelet applied.Thus,the proposed methodology has high potential for application to similar feature spaces.

Ensemble Strategy for Insider Threat Detection from User Activity Logs

In the information era,the core business and confidential information of enterprises/organizations is stored in information systems.However,certain malicious inside network users exist hidden inside the organization;these users intentionally or unintentionally misuse the privileges of the organization to obtain sensitive information from the company.The existing approaches on insider threat detection mostly focus on monitoring,detecting,and preventing any malicious behavior generated by users within an organization’s system while ignoring the imbalanced ground-truth insider threat data impact on security.To this end,to be able to detect insider threats more effectively,a data processing tool was developed to process the detected user activity to generate information-use events,and formulated a Data Adjustment(DA)strategy to adjust the weight of the minority and majority samples.Then,an efficient ensemble strategy was utilized,which applied the extreme gradient boosting(XGBoost)model combined with the DA strategy to detect anomalous behavior.The CERT dataset was used for an insider threat to evaluate our approach,which was a real-world dataset with artificially injected insider threat events.The results demonstrated that the proposed approach can effectively detect insider threats,with an accuracy rate of 99.51%and an average recall rate of 98.16%.Compared with other classifiers,the detection performance is improved by 8.76%.