Deep Learning and Dempster-Shafer Theory Based Insider Threat Detection
- PDF / 1,684,338 Bytes
- 10 Pages / 595.276 x 790.866 pts Page_size
- 113 Downloads / 215 Views
Deep Learning and Dempster-Shafer Theory Based Insider Threat Detection Zhihong Tian 1 & Wei Shi 2 & Zhiyuan Tan 3 & Jing Qiu 1
&
Yanbin Sun 1 & Feng Jiang 4 & Yan Liu 5
Accepted: 23 September 2020 # Springer Science+Business Media, LLC, part of Springer Nature 2020
Abstract Organizations’ own personnel now have a greater ability than ever before to misuse their access to critical organizational assets. Insider threat detection is a key component in identifying rare anomalies in context, which is a growing concern for many organizations. Existing perimeter security mechanisms are proving to be ineffective against insider threats. As a prospective filter for the human analysts, a new deep learning based insider threat detection method that uses the Dempster-Shafer theory is proposed to handle both accidental as well as intentional insider threats via organization’s channels of communication in real time. The long short-term memory (LSTM) architecture together with multi-head attention mechanism is applied in this work to detect anomalous network behavior patterns. Furthermore, belief is updated with Dempster’s conditional rule and utilized to fuse evidence to achieve enhanced prediction. The CERT Insider Threat Dataset v6.2 is used to train the behavior model. Through performance evaluation, our proposed method is proven to be effective as an insider threat detection technique. Keywords Deep learning . Insider threat . Network security . Recurrent neural networks
1 Introduction Threats posed by the insiders, such as employees, of an organization is among the greatest threats to information security. Only just the last decade, over 120 cases of malicious insider crime (espionage) that involve classified national security information were identified by the CERT Insider Threat Center (ITC) [1–4]. The latest case comes as the NSA has worked to reform security after the Edward Snowden disclosures, especially regarding insider threats. An insider threat is generally defined as a current or former employee, contractor, or other business partner who has or has had authorized access to an
organization’s network, system, or data and intentionally misused that access to negatively affect the confidentiality, integrity, or availability of the organization’s information or information systems [5, 6]. Insider threats are not new. In May 2000, a Walt Disney CEO accidentally disclosed the quarterly earnings of the company to a reporter via an email prior a public announcement. Since information security has become very important in most organizations, there have been adversaries, enemies, and competitors trying to gain an advantage [7, 8]. To address the many problems arising from insider threat, recent research in cyber security has casted its focus on how to store, transmit,
* Jing Qiu [email protected] * Yanbin Sun [email protected]
Yan Liu [email protected] 1
Cyberspace Institute of Advanced Technology, Guangzhou University, Guangzhou 510006, China
Zhihong Tian [email protected]
2
School of Informati
Data Loading...
