Fine Grained Insider Risk Detection

TL;DR

This paper introduces a novel graph-based method utilizing neural networks and contrastive learning to detect support agent actions that deviate from normal workflows, aiding auditors in identifying potential insider risks efficiently.

Contribution

It presents a new approach combining bipartite graph modeling, subgraph sampling, and advanced machine learning techniques for fine-grained insider risk detection in support environments.

Findings

High precision in identifying actions worth auditing

Effective use of contrastive learning with limited labels

Scalable analysis of millions of agent actions

Abstract

We present a method to detect departures from business-justified workflows among support agents. Our goal is to assist auditors in identifying agent actions that cannot be explained by the activity within their surrounding context, where normal activity patterns are established from historical data. We apply our method to help audit millions of actions of over three thousand support agents. We collect logs from the tools used by support agents and construct a bipartite graph of Actions and Entities representing all the actions of the agents, as well as background information about entities. From this graph, we sample subgraphs rooted on security-significant actions taken by the agents. Each subgraph captures the relevant context of the root action in terms of other actions, entities and their relationships. We then prioritize the rooted-subgraphs for auditor review using feed-forward and graph neural networks, as well as nearest neighbors techniques. To alleviate the issue of scarce labeling data, we use contrastive learning and domain-specific data augmentations. Expert auditors label the top ranked subgraphs as ``worth auditing" or ``not worth auditing" based on the company's business policies. This system finds subgraphs that are worth auditing with high enough precision to be used in production.