DANTE: Predicting Insider Threat using LSTM on system logs

TL;DR

This paper introduces DANTE, a novel LSTM-based model that analyzes system logs as natural language sequences to detect insider threats with high accuracy, distinguishing malicious from benign behaviors.

Contribution

The paper presents a new RNN approach that models system logs as language sequences for insider threat detection, achieving 99% accuracy.

Findings

Achieved 99% prediction accuracy on insider threat detection.

Effectively classified threats into five categories from the CERT dataset.

Demonstrated the viability of language modeling techniques for security analytics.

Abstract

Insider threat is one of the most pernicious threat vectors to information and communication technologies (ICT)across the world due to the elevated level of trust and access that an insider is afforded. This type of threat can stem from both malicious users with a motive as well as negligent users who inadvertently reveal details about trade secrets, company information, or even access information to malignant players. In this paper, we propose a novel approach that uses system logs to detect insider behavior using a special recurrent neural network (RNN) model. Ground truth is established using DANTE and used as the baseline for identifying anomalous behavior. For this, system logs are modeled as a natural language sequence and patterns are extracted from these sequences. We create workflows of sequences of actions that follow a natural language logic and control flow. These flows are assigned various categories of behaviors - malignant or benign. Any deviation from these sequences indicates the presence of a threat. We further classify threats into one of the five categories provided in the CERT insider threat dataset. Through experimental evaluation, we show that the proposed model can achieve 99% prediction accuracy.