Skip to main content
SpringerLink
Log in

MUEBA: A Multi-model System for Insider Threat Detection

  • Conference paper
  • First Online:
Machine Learning for Cyber Security (ML4CS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13655))

Included in the following conference series:

Abstract

In the current era of digital communications, cyber security and data protection have always been a top priority. More and more organizations are starting to take insider threat security seriously. Traditional rule-based anomaly detection solutions generate a large number of alerts and are difficult to adapt to particular scenarios. UEBA (User and Entity Behavior Analysis), which correlates entities, events, and users, has become an emerging organizational solution by combining all-around contextual analysis through statistical and machine learning methods. In this paper, we propose MUEBA, a multi-model UEBA system for spatiotemporal analysis, combining user individual historical analysis and group analysis to detect insider threats. The individual historical analysis module uses the attention-based LSTM to improve the model’s sensitivity to abnormal operations and help security analysts improve their efficiency in responding to threat events. In the group analysis module, we have extended the iForest algorithm in attribute selection and iTree construction, which increased the algorithm’s stability. Finally, we comprehensively decide on the above two aspects and propose a full-time user and entity behavior analysis system. Experimental evaluations on the public CERT-4.2 dataset show that our system outperforms either single model in both stability and precision.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Daniel C., Michael A., Matthew C., Samuel P., George S., Derrick S.: An Insider Threat Indicator Ontology. Technical Report CMU/SEI-2016-TR-007. Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2016)

    Google Scholar 

  2. CSO, CERT Division of SRI-CMU, and Force Point. 2018 U.S. State of Cybercrime. Technical Report (2018)

    Google Scholar 

  3. Shuhan, Y.: Deep learning for insider threat detection: review, challenges and opportunities. Comput. Secur. 104, 102221 (2021). https://doi.org/10.1016/j.cose.2021.102221

    Article  Google Scholar 

  4. Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds.): ICAIS 2021. LNCS, vol. 12737. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78612-0

    Book  Google Scholar 

  5. Lavanya, P., Shankar Sriram, V.S.: Detection of insider threats using deep learning: a review. In: Nayak, J., Behera, H., Naik, B., Vimal, S., Pelusi, D. (eds.) Computational Intelligence in Data Mining. Smart Innovation, Systems and Technologies, Vol 281. Springer, Singapore (2022). https://doi.org/10.1007/978-981-16-9447-9_4

  6. Gorka S., Avivah L., Toby B., Tricia P.: Market guide for user and entity behavior analytics, Gartner inc. (2018)

    Google Scholar 

  7. Kim, J., Park, M., Kim, H., Cho, S., Kang, P.: Insider threat detection based on user behavior modeling and anomaly detection algorithms. Appl. Sci. 9(19), 4018 (2019). https://doi.org/10.3390/app9194018

    Article  Google Scholar 

  8. Emmanuel CandÃ\(\acute{\text{l}}\)s, J., Li, X., Ma, Y., John W.: Robust principal component analysis? J. ACM 58(3), 37 (2011). https://doi.org/10.1145/1970392.1970395

  9. Heller, K., Svore, K., Keromytis, A., Stolfo S.: One class support vector machines for detecting anomalous windows registry accesses. In: ICDM Workshop on Data Mining for Computer Security, Melbourne, FL, (2003). https://doi.org/10.7916/D84B39Q0

  10. Fei, T.L., Kai, M.T., Zhihua, Z.: Isolation Forest. In: Eighth IEEE International Conference Data Mining, vol. 2008, pp. 413–422 (2008). https://doi.org/10.1109/ICDM.2008.17

  11. Breunig, M.M., Kriegel, H.P., Ng, R.T., Sander, J.: 2000. LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data. Association for Computing Machinery, New York, NY, USA, pp. 93–104. https://doi.org/10.1145/335191.335388

  12. Madhu, S., Minyi, S., Jisheng, W.: User and entity behavior analytics for enterprise security. In: IEEE International Conference on Big Data (Big Data), pp. 1867–1874 (2016). https://doi.org/10.1109/BigData.2016.7840805

  13. Haidar, D., Gaber, M. M.: Adaptive one-class ensemble-based anomaly detection: an application to insider threats. In: 2018 International Joint Conference on Neural Networks (IJCNN), pp. 1–9 (2018). https://doi.org/10.1109/IJCNN.2018.8489107

  14. Yilin, W., Yun, Z., Cheng, Z., Xianqiang, Z., Weiming, Z.: Abnormal behavior analysis in office automation system within organizations. Int. J. Comput. Commun. Eng. 6, 212–220 (2017). https://doi.org/10.17706/IJCCE.2017.6.3.212-220

  15. Pankaj, M., Lovekesh, V., Gautam, S., Puneet A.: Long short term memory networks for anomaly detection in time series. In: ESANN (2015)

    Google Scholar 

  16. Bontemps, L., Cao, V.L., McDermott, J., Le-Khac, N.-A.: Collective anomaly detection based on long short-term memory recurrent neural networks. In: Dang, T.K., Wagner, R., Küng, J., Thoai, N., Takizawa, M., Neuhold, E. (eds.) FDSE 2016. LNCS, vol. 10018, pp. 141–152. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48057-2_9

    Chapter  Google Scholar 

  17. Sharma, B., Pokharel, P., Joshi, B.: User behavior analytics for anomaly detection using LSTM autoencoder - Insider Threat Detection. In: Porkaew, K., Chignell, M.H., Fong, S., Watanapa, B. (eds.) IAIT, pp. 5:1–5:9. ACM. https://doi.org/10.1145/3406601.3406610

  18. Xiangyu, X., et al.: An ensemble approach for detecting anomalous user behaviors. Int. J. Softw. Eng. Knowl. Eng. 28(11–12), 1637–1656 (2018). https://doi.org/10.1142/S0218194018400211

    Article  Google Scholar 

  19. Sun, D., Liu, M., Li, M., Shi, Z., Liu, P., Wang, X.: DeepMIT: a novel malicious insider threat detection framework based on recurrent neural network. In: 2021 IEEE 24th International Conference on Computer Supported Cooperative Work in Design (CSCWD), pp. 335–341 (2021). https://doi.org/10.1109/CSCWD49262.2021.9437887

  20. Brown, A., Tuor, A., Hutchinson, B., Nichols, N.: Recurrent neural network attention mechanisms for interpretable system log anomaly detection. CoRR, abs/1803.04967 (2018). https://doi.org/10.1145/3217871.3217872

  21. Benchaji, I., Douzi, S., El Ouahidi, B., Jaafari, J.: Enhanced credit card fraud detection based on attention mechanism and LSTM deep model. J. Big Data 8(1), 1–21 (2021). https://doi.org/10.1186/s40537-021-00541-8

    Article  Google Scholar 

  22. Xia, L., Li, Z.: A new method of abnormal behavior detection using LSTM network with temporal attention mechanism. J. Supercomput. 77(4), 3223–3241 (2020). https://doi.org/10.1007/s11227-020-03391-y

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Computer Science and Technology, Beijing Institute of Technology, Beijing, 100081, China

    Jing Liu, Jingci Zhang, Changcun Du & Dianxin Wang

Authors
  1. Jing Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jingci Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Changcun Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Dianxin Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jing Liu .

Editor information

Editors and Affiliations

  1. School of Computing and Informatics, University of Louisiana at Lafayette, Lafayette, IN, USA

    Yuan Xu

  2. Institute of Artificial Intelligence and Blockchain, Guangzhou University, Guangzhou, China

    Hongyang Yan

  3. Institute of Artificial Intelligence and Blockchain, Guangzhou University, Guangzhou, China

    Huang Teng

  4. Guangdong Polytechnic Normal University, Guangzhou, China

    Jun Cai

  5. Institute of Artificial Intelligence and Blockchain, Guangzhou University, Guangzhou, China

    Jin Li

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, J., Zhang, J., Du, C., Wang, D. (2023). MUEBA: A Multi-model System for Insider Threat Detection. In: Xu, Y., Yan, H., Teng, H., Cai, J., Li, J. (eds) Machine Learning for Cyber Security. ML4CS 2022. Lecture Notes in Computer Science, vol 13655. Springer, Cham. https://doi.org/10.1007/978-3-031-20096-0_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-20096-0_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-20095-3

  • Online ISBN: 978-3-031-20096-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation