Unsupervised User-Based Insider Threat Detection Using Bayesian Gaussian Mixture Models

TL;DR

This paper introduces an unsupervised user-based insider threat detection system utilizing Bayesian Gaussian Mixture Models and Word2Vec for feature extraction, achieving high accuracy and low false positives without extensive domain knowledge.

Contribution

The paper presents a novel unsupervised approach that does not require data balancing or training on only normal data, improving insider threat detection with minimal domain expertise.

Findings

Achieves 88% recall and 93% accuracy on CERT dataset.

Operates without data balancing or exclusive training on normal instances.

Maintains a false positive rate of 6.9%.

Abstract

Insider threats are a growing concern for organizations due to the amount of damage that their members can inflict by combining their privileged access and domain knowledge. Nonetheless, the detection of such threats is challenging, precisely because of the ability of the authorized personnel to easily conduct malicious actions and because of the immense size and diversity of audit data produced by organizations in which the few malicious footprints are hidden. In this paper, we propose an unsupervised insider threat detection system based on audit data using Bayesian Gaussian Mixture Models. The proposed approach leverages a user-based model to optimize specific behaviors modelization and an automatic feature extraction system based on Word2Vec for ease of use in a real-life scenario. The solution distinguishes itself by not requiring data balancing nor to be trained only on normal instances, and by its little domain knowledge required to implement. Still, results indicate that the proposed method competes with state-of-the-art approaches, presenting a good recall of 88\%, accuracy and true negative rate of 93%, and a false positive rate of 6.9%. For our experiments, we used the benchmark dataset CERT version 4.2.