Generalized Insider Attack Detection Implementation using NetFlow Data

TL;DR

This paper presents a novel approach for detecting insider attacks in commercial networks by combining unsupervised machine learning techniques on NetFlow data, aiming to improve detection accuracy and reduce false positives.

Contribution

The paper introduces a combined method using One-Class SVM and bi-clustering on NetFlow data for insider attack detection, with a prototype implementation and real-world validation.

Findings

Effective reduction of false positives in attack detection

Successful application on real-world NetFlow datasets

Promising results for practical insider attack detection

Abstract

Insider Attack Detection in commercial networks is a critical problem that does not have any good solutions at this current time. The problem is challenging due to the lack of visibility into live networks and a lack of a standard feature set to distinguish between different attacks. In this paper, we study an approach centered on using network data to identify attacks. Our work builds on unsupervised machine learning techniques such as One-Class SVM and bi-clustering as weak indicators of insider network attacks. We combine these techniques to limit the number of false positives to an acceptable level required for real-world deployments by using One-Class SVM to check for anomalies detected by the proposed Bi-clustering algorithm. We present a prototype implementation in Python and associated results for two different real-world representative data sets. We show that our approach is a promising tool for insider attack detection in realistic settings.