Research Article
BibTex RIS Cite

Developing Novel Deep Learning Models to Detect Insider Threats and Comparing the Models from Different Perspectives

Year 2024, Volume: 17 Issue: 1, 31 - 43, 31.01.2024
https://doi.org/10.17671/gazibtd.1386734

Abstract

Cybersecurity has become an increasingly vital concern for numerous institutions, organizations, and governments. Many studies have been carried out to prevent external attacks, but there are not enough studies to detect insider malicious actions. Given the damage inflicted by attacks from internal threats on corporate reputations and financial situations, the absence of work in this field is considered a significant disadvantage. In this study, several deep learning models using fully connected layer, convolutional neural network and long short-term memory were developed for user and entity behavior analysis. The hyper-parameters of the models were optimized using Bayesian optimization techniques. Experiments analysis were performed using the version 4.2 of Computer Emergency and Response Team Dataset. Two types of features, which are personal information and numerical features, were extracted with respect to daily activities of users. Dataset was divided with respect to user or role and experiment results showed that user based models have better performance than the role based models. In addition to this, the models that developed using long short-term memory were more accurate than the others. Accuracy, detection rate, f1-score, false discovery rate and negative predictive value were used as metrics to compare model performance fairly with state-of-the-art models. According the results of these metrics, our model obtained better scores than the state-of-the-art models and the performance improvements were statistically significant according to the two-tailed Z test. The study is anticipated to significantly contribute to the literature, as the deep learning approaches developed within its scope have not been previously employed in internal threat detection. Moreover, these approaches have demonstrated superior performance compared to previous studies.

References

  • N. R. Mosteanu, “Artificial Intelligence and Cyber Security – Face To Face With Cyber Attack – A Maltese Case Of Risk Management Approach”, Ecoforum Journal, 9(2), 2020.
  • D. Ghelani, Cyber Security, Cyber Threats, Implications and Future Perspectives: A Review, Authorea Preprints, 2022
  • Y. Hashem, H. Takabi, R. Dantu, and R. Nielsen, “A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats”, International Workshop on Managing Insider Security Threats, New York, NY, USA, 33-44, October 2017.
  • M. Dosh, “Detecting insider threat within institutions using CERT dataset and different ML techniques”, Periodicals of Engineering and Natural Sciences, 9(2), 873-884, 2021.
  • Insider Threat Test Dataset, https://kilthub.cmu.edu/articles/dataset/Insider_Threat_Test_Dataset/12841247/1, 21.01.2024.
  • W. R. Claycomb and A. Nicoll, “Insider Threats to Cloud Computing: Directions for New Research Challenges”, 36th Annual Computer Software and Applications Conference, İzmir, Turkey, 387,394, July 2012.
  • X. Xiangyu et al., “Method and System for Detecting Anomalous User Behaviors: An Ensemble Approach”, 30th International Conference on Software Engineering and Knowledge Engineering, San Francisco, California, USA , 263-307, July 2018.
  • A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols, and S. Robinson, Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams, arXiv, 2017.
  • L. Lin, S. Zhong, C. Jia, and K. Chen, “Insider Threat Detection Based on Deep Belief Network Feature Representation”, International Conference on Green Informatics, Fuzhou, China, 54-59, August 2017.
  • F. Yuan, Y. Cao, Y. Shang, Y. Liu, J. Tan, and B. Fang, “Insider Threat Detection with Deep Neural Network”, Computational Science,Wuzi, China, 43-54, 2018.
  • O. Lo, W. J. Buchanan, P. Griffiths, and R. Macfarlane, “Distance Measurement Methods for Improved Insider Threat Detection”, Security and Communication Networks, 2018(e5906368), 1-18, 2018.
  • D. C. Le and A. N. Zincir-Heywood, “Evaluating Insider Threat Detection Workflow Using Supervised and Unsupervised Learning”, IEEE Security and Privacy Workshops, San Francisco, CA, USA, 270-275, May 2018.
  • O. Igbe and T. Saadawi, “Insider Threat Detection using an Artificial Immune system Algorithm”, 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference, New York, USA, 297-302, November 2018.
  • A. J. Hall, N. Pitropakis, W. J. Buchanan, and N. Moradpoor, “Predicting Malicious Insider Threat Scenarios Using Organizational Data and a Heterogeneous Stack-Classifier”, IEEE International Conference on Big Data, Seattle, WA, USA, 5034-5039, December 2018.
  • M. Aldairi, L. Karimi, and J. Joshi, “A Trust Aware Unsupervised Learning Approach for Insider Threat Detection”, IEEE 20th International Conference on Information Reuse and Integration for Data Science, Los Angeles, California, USA, 89-98, July 2019.
  • D. C. Le and N. Zincir-Heywood, “Exploring anomalous behaviour detection and classification for insider threat identification”, International Journal of Network Management, 31(4), 2021.
  • D. C. Le and A. Nur Zincir-Heywood, “Machine learning based Insider Threat Modelling and Detection”, IFIP/IEEE Symposium on Integrated Network and Service Management, Washington DC, USA, 1-6, April.
  • M. Nasser Al-mhiqani, R. Ahmad, Z. Zainal Abidin, W. Yassin, A. Hassan, and A. Natasha Mohammad, “New insider threat detection method based on recurrent neural networks”, Indonesian Journal of Electrical Engineering and Computer Science, 17(3), 1474, 2020.
  • B. Sharma, P. Pokharel, and B. Joshi, “User Behavior Analytics for Anomaly Detection Using LSTM Autoencoder - Insider Threat Detection”, 11th International Conference on Advances in Information Technology, New York, USA, 1-9, July 2020.
  • Z. Tian, C. Luo, H. Lu, S. Su, Y. Sun, and M. Zhang, “User and Entity Behavior Analysis under Urban Big Data”, ACM Transactions on Data Science, 1(3), 1-16, 2020.
  • T. Al-Shehari and R. A. Alsowail, “An Insider Data Leakage Detection Using One-Hot Encoding, Synthetic Minority Oversampling and Machine Learning Techniques”, Entropy, 23(10), no. 10, 2021.
  • R. Nasir, M. Afzal, R. Latif, and W. Iqbal, “Behavioral Based Insider Threat Detection Using Deep Learning”, IEEE Access, 9(1), 143266–143274, 2021.
  • D. Sun, M. Liu, M. Li, Z. Shi, P. Liu, and X. Wang, “DeepMIT: A Novel Malicious Insider Threat Detection Framework based on Recurrent Neural Network”, 24th International Conference on Computer Supported Cooperative Work in Design, Dalian, China, 335-341, May 2021.
  • E. Pantelidis, G. Bendiab, S. Shiaeles, and N. Kolokotronis, “Insider Threat Detection using Deep Autoencoder and Variational Autoencoder Neural Networks”, IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, 129-134, July 2021.
  • M. N. Al-Mhiqani et al., “A new intelligent multilayer framework for insider threat detection”, Computers & Electrical Engineering, 97(1), 107597, January 2022.
  • M. AlSlaiman, M. I. Salman, M. M. Saleh, and B. Wang, “Enhancing false negative and positive rates for efficient insider threat detection”, Computers & Security, 126(1), 103066, March 2023.
  • D. Li, L. Yang, H. Zhang, X. Wang, and L. Ma, “Memory-Augmented Insider Threat Detection with Temporal-Spatial Fusion”, Security and Communication Networks, 2022(1), e6418420, 2022
  • T. Karayel, A. Akbıyık, “A Global Perspective of Cybersecurity Research: Publication Trends and Research Directions”, Journal of Information Technologies, 16(3), 221 – 235, 2023.
  • Y. Gormez, Z. Aydin, R. Karademir, and V. C. Gungor, “A deep learning approach with Bayesian optimization and ensemble classifiers for detecting denial of service attacks”, International Journal of Communication Systems, 33(11), e4401, 2020.
  • J. Snoek, H. Larochelle, and R. P. Adams, “Practical Bayesian Optimization of Machine Learning Algorithms”, Advances in Neural Information Processing Systems, Nevada, USA, 2012.
  • A. Salama, A. E. Hassanien, and A. Fahmy, “Sheep Identification Using a Hybrid Deep Learning and Bayesian Optimization Approach”, IEEE Access, 7(1), 31681–31687, 2019.
  • J. Snoek et al., “Scalable Bayesian Optimization Using Deep Neural Networks,” 32nd International Conference on Machine Learning, Lille, France, 2171-2180, Jun 2015.
  • H. Kaur, H. S. Pannu, and A. K. Malhi, “A Systematic Review on Imbalanced Data Challenges in Machine Learning: Applications and Solutions”, ACM Computing Survey, 52(4), 1-36, August 2019.
  • Big Five personality traits: https://en.wikipedia.org/w/index.php?title=Big_Five_personality_traits&oldid=1114671408, 21.01.2024.
  • Y. Görmez, H. Arslan, Y. E. Işik, and İ. E. Dadaş, “A User and Entity Behavior Analysis for SIEM Systems: Preprocessing of The Computer Emergency and Response Team Dataset,” Journal Soft Computing, 4(1), 2023.
  • Arge-Preprocessing-CERT: https://github.com/Detaysoft/Arge-Preprocessing-CERT, 21.01.202
  • Keras: the Python deep learning API: https://keras.io/, 21.01.2024.
  • scikit-optimize:https://scikit-optimize.github.io/stable/, 21.01.2024.
  • Precision and recall: https://en.wikipedia.org/w/index.php?title=Precision_and_recall&oldid=1122267443, 21.01.2024.
  • Z Score Calculator for 2 Poulation Proportions, https://www.socscistatistics.com/tests/ztest/default2.aspx, 21.01.2024.

İç Tehditlerin Tespit Edilmesi için Özgün Derin Öğrenme Modellerinin Geliştirilmesi ve Modellerin Farklı Perspektiflerde Karşılaştırılması

Year 2024, Volume: 17 Issue: 1, 31 - 43, 31.01.2024
https://doi.org/10.17671/gazibtd.1386734

Abstract

Siber güvenlik, çok sayıda kurum, kuruluş ve devlet için zamanla hayati öneme sahip bir konu haline gelmiştir. Mevcut çalışmalar incelendiğinde, dış saldırıları önlemek için birçok çalışma yapıldığı, ancak iç tehditleri tespit etmeye yönelik çalışmaların yeterli olmadığı kanısına varılmaktadır. İç tehditlerden gelen saldırıların kurum itibarlarına ve mali durumlarına verdiği zararlarda göz önüne alındığında, bu alanda çalışma eksikliği büyük bir dezavantaj olarak değerlendirilmektedir. Bu çalışmada, kullanıcı ve varlık davranış analizi için tam bağlı katman, evrişimsel sinir ağı ve uzun kısa süreli hafıza kullanan çeşitli özgün derin öğrenme modelleri geliştirilmiştir. Modellerin hiper parametreleri Bayesian optimizasyon teknikleri kullanılarak optimize edilerek, analizler, Computer Emergency and Response Team Dataset veri kümesinin 4.2. sürümü kullanılarak yapılmıştır. Kullanıcıların günlük aktivitelerine göre kişisel bilgiler ve sayısal özellikler olmak üzere iki tür özellik çıkarılmıştır. Veri seti kullanıcı veya role göre bölünmüş ve deney sonuçlarına kullanıcı tabanlı modellerin rol tabanlı modellere göre daha iyi performansa sahip olduğunu gözlemlenmiştir. Ayrıca uzun kısa süreli hafızayı kullanarak geliştirilen modellerin diğerlerine göre daha başarılı sonuçlar elde ettiği gözlemlenmiştir. Model performansını literatürdeki çalışmalar ile adil bir şekilde karşılaştırmak için, başarı oranı, tespit oranı, f1 puanı, yanlış keşif oranı ve negatif tahmin değeri metrikleri kullanılmıştır. Bu metriklerin sonuçlarına göre modelimiz, literatürde var olan modellere göre daha iyi performans skorları elde etmiş ve iki kuyruklu Z testine göre performans iyileştirmeleri istatistiksel olarak anlamlı bulunmuştur. Çalışma kapsamında geliştirilmiş olan derin öğrenme yaklaşımlarının daha önce iç tehdit tespitinde kullanılmamış olmasından ve önceki çalışmaların performanslarından yüksek bir performans elde etmesinden dolayı çalışmanın literatüre büyük bir katkı sağlayacağı kanaatine varılmıştır.

References

  • N. R. Mosteanu, “Artificial Intelligence and Cyber Security – Face To Face With Cyber Attack – A Maltese Case Of Risk Management Approach”, Ecoforum Journal, 9(2), 2020.
  • D. Ghelani, Cyber Security, Cyber Threats, Implications and Future Perspectives: A Review, Authorea Preprints, 2022
  • Y. Hashem, H. Takabi, R. Dantu, and R. Nielsen, “A Multi-Modal Neuro-Physiological Study of Malicious Insider Threats”, International Workshop on Managing Insider Security Threats, New York, NY, USA, 33-44, October 2017.
  • M. Dosh, “Detecting insider threat within institutions using CERT dataset and different ML techniques”, Periodicals of Engineering and Natural Sciences, 9(2), 873-884, 2021.
  • Insider Threat Test Dataset, https://kilthub.cmu.edu/articles/dataset/Insider_Threat_Test_Dataset/12841247/1, 21.01.2024.
  • W. R. Claycomb and A. Nicoll, “Insider Threats to Cloud Computing: Directions for New Research Challenges”, 36th Annual Computer Software and Applications Conference, İzmir, Turkey, 387,394, July 2012.
  • X. Xiangyu et al., “Method and System for Detecting Anomalous User Behaviors: An Ensemble Approach”, 30th International Conference on Software Engineering and Knowledge Engineering, San Francisco, California, USA , 263-307, July 2018.
  • A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols, and S. Robinson, Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams, arXiv, 2017.
  • L. Lin, S. Zhong, C. Jia, and K. Chen, “Insider Threat Detection Based on Deep Belief Network Feature Representation”, International Conference on Green Informatics, Fuzhou, China, 54-59, August 2017.
  • F. Yuan, Y. Cao, Y. Shang, Y. Liu, J. Tan, and B. Fang, “Insider Threat Detection with Deep Neural Network”, Computational Science,Wuzi, China, 43-54, 2018.
  • O. Lo, W. J. Buchanan, P. Griffiths, and R. Macfarlane, “Distance Measurement Methods for Improved Insider Threat Detection”, Security and Communication Networks, 2018(e5906368), 1-18, 2018.
  • D. C. Le and A. N. Zincir-Heywood, “Evaluating Insider Threat Detection Workflow Using Supervised and Unsupervised Learning”, IEEE Security and Privacy Workshops, San Francisco, CA, USA, 270-275, May 2018.
  • O. Igbe and T. Saadawi, “Insider Threat Detection using an Artificial Immune system Algorithm”, 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference, New York, USA, 297-302, November 2018.
  • A. J. Hall, N. Pitropakis, W. J. Buchanan, and N. Moradpoor, “Predicting Malicious Insider Threat Scenarios Using Organizational Data and a Heterogeneous Stack-Classifier”, IEEE International Conference on Big Data, Seattle, WA, USA, 5034-5039, December 2018.
  • M. Aldairi, L. Karimi, and J. Joshi, “A Trust Aware Unsupervised Learning Approach for Insider Threat Detection”, IEEE 20th International Conference on Information Reuse and Integration for Data Science, Los Angeles, California, USA, 89-98, July 2019.
  • D. C. Le and N. Zincir-Heywood, “Exploring anomalous behaviour detection and classification for insider threat identification”, International Journal of Network Management, 31(4), 2021.
  • D. C. Le and A. Nur Zincir-Heywood, “Machine learning based Insider Threat Modelling and Detection”, IFIP/IEEE Symposium on Integrated Network and Service Management, Washington DC, USA, 1-6, April.
  • M. Nasser Al-mhiqani, R. Ahmad, Z. Zainal Abidin, W. Yassin, A. Hassan, and A. Natasha Mohammad, “New insider threat detection method based on recurrent neural networks”, Indonesian Journal of Electrical Engineering and Computer Science, 17(3), 1474, 2020.
  • B. Sharma, P. Pokharel, and B. Joshi, “User Behavior Analytics for Anomaly Detection Using LSTM Autoencoder - Insider Threat Detection”, 11th International Conference on Advances in Information Technology, New York, USA, 1-9, July 2020.
  • Z. Tian, C. Luo, H. Lu, S. Su, Y. Sun, and M. Zhang, “User and Entity Behavior Analysis under Urban Big Data”, ACM Transactions on Data Science, 1(3), 1-16, 2020.
  • T. Al-Shehari and R. A. Alsowail, “An Insider Data Leakage Detection Using One-Hot Encoding, Synthetic Minority Oversampling and Machine Learning Techniques”, Entropy, 23(10), no. 10, 2021.
  • R. Nasir, M. Afzal, R. Latif, and W. Iqbal, “Behavioral Based Insider Threat Detection Using Deep Learning”, IEEE Access, 9(1), 143266–143274, 2021.
  • D. Sun, M. Liu, M. Li, Z. Shi, P. Liu, and X. Wang, “DeepMIT: A Novel Malicious Insider Threat Detection Framework based on Recurrent Neural Network”, 24th International Conference on Computer Supported Cooperative Work in Design, Dalian, China, 335-341, May 2021.
  • E. Pantelidis, G. Bendiab, S. Shiaeles, and N. Kolokotronis, “Insider Threat Detection using Deep Autoencoder and Variational Autoencoder Neural Networks”, IEEE International Conference on Cyber Security and Resilience, Rhodes, Greece, 129-134, July 2021.
  • M. N. Al-Mhiqani et al., “A new intelligent multilayer framework for insider threat detection”, Computers & Electrical Engineering, 97(1), 107597, January 2022.
  • M. AlSlaiman, M. I. Salman, M. M. Saleh, and B. Wang, “Enhancing false negative and positive rates for efficient insider threat detection”, Computers & Security, 126(1), 103066, March 2023.
  • D. Li, L. Yang, H. Zhang, X. Wang, and L. Ma, “Memory-Augmented Insider Threat Detection with Temporal-Spatial Fusion”, Security and Communication Networks, 2022(1), e6418420, 2022
  • T. Karayel, A. Akbıyık, “A Global Perspective of Cybersecurity Research: Publication Trends and Research Directions”, Journal of Information Technologies, 16(3), 221 – 235, 2023.
  • Y. Gormez, Z. Aydin, R. Karademir, and V. C. Gungor, “A deep learning approach with Bayesian optimization and ensemble classifiers for detecting denial of service attacks”, International Journal of Communication Systems, 33(11), e4401, 2020.
  • J. Snoek, H. Larochelle, and R. P. Adams, “Practical Bayesian Optimization of Machine Learning Algorithms”, Advances in Neural Information Processing Systems, Nevada, USA, 2012.
  • A. Salama, A. E. Hassanien, and A. Fahmy, “Sheep Identification Using a Hybrid Deep Learning and Bayesian Optimization Approach”, IEEE Access, 7(1), 31681–31687, 2019.
  • J. Snoek et al., “Scalable Bayesian Optimization Using Deep Neural Networks,” 32nd International Conference on Machine Learning, Lille, France, 2171-2180, Jun 2015.
  • H. Kaur, H. S. Pannu, and A. K. Malhi, “A Systematic Review on Imbalanced Data Challenges in Machine Learning: Applications and Solutions”, ACM Computing Survey, 52(4), 1-36, August 2019.
  • Big Five personality traits: https://en.wikipedia.org/w/index.php?title=Big_Five_personality_traits&oldid=1114671408, 21.01.2024.
  • Y. Görmez, H. Arslan, Y. E. Işik, and İ. E. Dadaş, “A User and Entity Behavior Analysis for SIEM Systems: Preprocessing of The Computer Emergency and Response Team Dataset,” Journal Soft Computing, 4(1), 2023.
  • Arge-Preprocessing-CERT: https://github.com/Detaysoft/Arge-Preprocessing-CERT, 21.01.202
  • Keras: the Python deep learning API: https://keras.io/, 21.01.2024.
  • scikit-optimize:https://scikit-optimize.github.io/stable/, 21.01.2024.
  • Precision and recall: https://en.wikipedia.org/w/index.php?title=Precision_and_recall&oldid=1122267443, 21.01.2024.
  • Z Score Calculator for 2 Poulation Proportions, https://www.socscistatistics.com/tests/ztest/default2.aspx, 21.01.2024.
There are 40 citations in total.

Details

Primary Language English
Subjects Deep Learning, Cybersecurity and Privacy (Other)
Journal Section Articles
Authors

Yasin Görmez 0000-0001-8276-2030

Halil Arslan 0000-0003-3286-5159

Yunus Emre Işık 0000-0001-6176-7545

Veysel Gündüz 0000-0003-2356-0564

Publication Date January 31, 2024
Submission Date November 6, 2023
Acceptance Date January 16, 2024
Published in Issue Year 2024 Volume: 17 Issue: 1

Cite

APA Görmez, Y., Arslan, H., Işık, Y. E., Gündüz, V. (2024). Developing Novel Deep Learning Models to Detect Insider Threats and Comparing the Models from Different Perspectives. Bilişim Teknolojileri Dergisi, 17(1), 31-43. https://doi.org/10.17671/gazibtd.1386734