Image-Based Feature Representation for Insider Threat Classification

TL;DR

This paper introduces an innovative image-based approach to insider threat detection by transforming user resource usage patterns into images and applying image classification models, resulting in improved detection accuracy.

Contribution

The novel contribution is representing user behavior as images from audit data and applying advanced image classification models for insider threat detection.

Findings

Improved accuracy over existing methods

Higher recall and precision in threat classification

Effective use of image models like ResNet, VGG, MobileNet

Abstract

Insiders are the trusted entities in the organization, but poses threat to the with access to sensitive information network and resources. The insider threat detection is a well studied problem in security analytics. Identifying the features from data sources and using them with the right data analytics algorithms makes various kinds of threat analysis possible. The insider threat analysis is mainly done using the frequency based attributes extracted from the raw data available from data sources. In this paper, we propose an image-based feature representation of the daily resource usage pattern of users in the organization. The features extracted from the audit files of the organization are represented as gray scale images. Hence, these images are used to represent the resource access patterns and thereby the behavior of users. Classification models are applied to the representative images to detect anomalous behavior of insiders. The images are classified to malicious and non-malicious. The effectiveness of the proposed representation is evaluated using the CMU CERT data V4.2, and state-of-art image classification models like Mobilenet, VGG and ResNet. The experimental results showed improved accuracy. The comparison with existing works show a performance improvement in terms of high recall and precision values.