Insider Threat Detection via Hierarchical Neural Temporal Point Processes

TL;DR

This paper introduces a hierarchical neural temporal point process model that effectively combines activity types and timing information to improve insider threat detection, outperforming existing models that consider only one aspect.

Contribution

The paper presents a novel hierarchical neural temporal point process model that integrates activity types and timing data for enhanced insider threat detection.

Findings

Model outperforms existing approaches on two datasets.

Effectively captures nonlinear dependencies in activity sequences.

Utilizes a two-level structure for modeling activity times and types.

Abstract

Insiders usually cause significant losses to organizations and are hard to detect. Currently, various approaches have been proposed to achieve insider threat detection based on analyzing the audit data that record information of the employee's activity type and time. However, the existing approaches usually focus on modeling the users' activity types but do not consider the activity time information. In this paper, we propose a hierarchical neural temporal point process model by combining the temporal point processes and recurrent neural networks for insider threat detection. Our model is capable of capturing a general nonlinear dependency over the history of all activities by the two-level structure that effectively models activity times, activity types, session durations, and session intervals information. Experimental results on two datasets demonstrate that our model outperforms the models that only consider information of the activity types or time alone.