Insider threats constitute a major cause of security breaches in organizations. They are the employees/users of an organization, causing harm by performing any malicious activity. Most of the existing methods to detect insider threats are based on machine and deep learning and have the following limitations: they use predefined rules or stored signatures and fail to detect new or unknown threats; they require explicit feature engineering, which results in more false positives; they require a large amount of training data, and are computationally expensive. In this paper, an improved user behavior-based insider threat detection method is proposed using a hybrid learning approach that overcomes the above limitations. It uses bi-directional long-short-term memory for feature extraction, a feed-forward artificial neural network (using distance measurements) for feature selection, and a support vector machine for classification-normal user or malicious user. The genetic algorithm’s fast global search strategy is used for the support vector machine’s initial kernel selection. Finally, alerts are generated for each user based on their combined anomaly score. The proposed method is tested using the CMU-CERT r4.2 insider threat dataset, and its performance is evaluated using the following parameters: accuracy, precision, recall, f-measure, and area under curve-receiver operating characteristic curve. The results show a significant improvement over the existing methods.

Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Data availability
The dataset used in the study is public and referenced in the paper.
(2001) CMU-CERTinsider threat test dataset. https://doi.org/10.1184/R1/12841247.v1/
(2020) Guruculinsider threat survey report. https://gurucul.com/2020-insider-threat-survey-report/
Al Shalabi L, Shaaban Z (2006) Normalization as a preprocessing engine for data mining and the approach of preference matrix. In: 2006 International conference on dependability of computer systems, IEEE, pp 207–214
Almehmadi A (2018) Micromovement behavior as an intention detection measurement for preventing insider threats. IEEE Access 6:40626–40637
Böse B, Avasarala B, Tirthapura S, Chung YY, Steiner D (2017) Detecting insider threats using radish: A system for real-time anomaly detection in heterogeneous data streams. IEEE Syst J 11(2):471–482
Brown DP, Buede D, Vermillion SD (2019) Improving insider threat detection through multi-modelling/data fusion. Proced Comput Sci 153:100–107
Gheyas IA, Abdallah AE (2016) Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis. Big Data Analytics 1(1):6
Haidar D, Gaber MM (2018) Adaptive one-class ensemble-based anomaly detection: An application to insider threats. In: 2018 International Joint Conference on Neural Networks (IJCNN), IEEE, pp 1–9
Hochreiter S, Schmidhuber J (1997) Long short-term memory. Neural computat 9(8):1735–1780
Legg PA, Buckley O, Goldsmith M, Creese S (2015) Automated insider threat detection system using user and role-based profile assessment. IEEE Syst J 11(2):503–512
Lin L, Zhong S, Jia C, Chen K (2017) Insider threat detection based on deep belief network feature representation. In: 2017 International Conference on Green Informatics (ICGI), IEEE, pp 54–59
Liu L, De Vel O, Chen C, Zhang J, Xiang Y (2018a) Anomaly-based insider threat detection using deep autoencoders. In: 2018 IEEE International Conference on Data Mining Workshops (ICDMW), IEEE, pp 39–48
Liu L, De Vel O, Han QL, Zhang J, Xiang Y (2018) Detecting and preventing cyber insider threats: a survey. IEEE Commun Surv Tut 20(2):1397–1417
(2019) Locally Linear Embeeding. https://blog.paperspace.com/dimension-reduction-with-lle/
Lo O, Buchanan WJ, Griffiths P, Macfarlane R (2018) Distance measurement methods for improved insider threat detection. Security and Communication Networks 1-8
Lu J, Wong RK (2019) Insider threat detection with long short-term memory. In: Proceedings of the Australasian Computer Science Week Multiconference, ACM, p 1
Lv B, Wang D, Wang Y, Lv Q, Lu D (2018) A hybrid model based on multi-dimensional features for insider threat detection. In: International Conference on Wireless Algorithms, Systems, and Applications, Springer, pp 333–344
Matterer J, LeJeune D (2018) Peer group metadata-informed lstm ensembles for insider threat detection. In: The Thirty-First International Flairs Conference
Mavroeidis V, Vishi K, Jøsang A (2018) A framework for data-driven physical security and insider threat detection. In: 2018 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), IEEE, pp 1108–1115
May C et al (2019) Insight into insiders: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput Surv (CSUR). 52(2):1–40
Meng F, Lou F, Fu Y, Tian Z (2018) Deep learning based attribute classification insider threat detection for data security. In: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), IEEE, pp 576–581
Mills JU, Stuban SM, Dever J (2017) Predict insider threats using human behaviors. IEEE Eng Manag Rev 45(1):39–48
Sharma PK, Moon SY, Moon D, Park JH (2017) Dfa-ad: a distributed framework architecture for the detection of advanced persistent threats. Cluster Comput 20(1):597–609
Singh M, Mehtre B, Sangeetha S (2019) User behavior profiling using ensemble approach for insider threat detection. In: IEEE 5th International Conference on Identity, Security, and Behavior Analysis (ISBA), IEEE, pp 1–8
Singh M, Mehtre B, Sangeetha S (2020) Insider threat detection based on user behaviour analysis. Int Conf Mach Learn. Image Processing, Network Security and Data Sciences, Springer, pp 559–574
Singh M, Mehtre B, Sangeetha S (2021) User behaviour based insider threat detection in critical infrastructures. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), IEEE, pp 489–494
Whitley D (1994) A genetic algorithm tutorial. Stat Comput 4(2):65–85
Yuan F, Cao Y, Shang Y, Liu Y, Tan J, Fang B (2018) Insider threat detection with deep neural network. In: International Conference on Computational Science, Springer, pp 43–54
Zaytsev A, Malyuk A (2017) Identifying a potential insider using classification models. Automat Control Comput Sci 51(8):860–866
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Singh, M., Mehtre, B.M., Sangeetha, S. et al. User Behaviour based Insider Threat Detection using a Hybrid Learning Approach. J Ambient Intell Human Comput 14, 4573–4593 (2023). https://doi.org/10.1007/s12652-023-04581-1
Issue Date:
DOI: https://doi.org/10.1007/s12652-023-04581-1