Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles

Filip Bartoszewski, Mike Just, Michael Adam Lones, Oleksii Mandrychenko

Research output: Chapter in Book/Report/Conference proceedingConference contribution

424 Downloads (Pure)


Insider threat detection is challenging due to the wide variety of possible attacks and the limited availability of real threat data for testing. Most previous anomaly detection studies have relied on synthetic threat data, such as the CERT insider threat dataset. However, several previous studies have used models that arguably introduce bias, such as the selective use of metrics, and reusing the same dataset with the prior knowledge of the answer labels. In this paper, we create and test a host of models following some guidelines of good conduct to produce what we believe to be a more objective comparison of these models. Our results indicate that majority voting ensembles are a simple and cost-effective way of boosting the quality of results from individual machine learning models, both on the CERT data and on a version augmented with additional attacks. We include a comparison of models with their hyperparameters optimized for different target metrics.
Original languageEnglish
Title of host publicationICT Systems Security and Privacy Protection. SEC 2021
EditorsAudun Jøsang, Lynn Futcher, Janne Hagen
Number of pages15
ISBN (Electronic)9783-030781200
ISBN (Print)9783030781194
Publication statusPublished - 15 Jun 2021
Event36th IFIP TC 11 International Conference 2021 - Oslo, Norway
Duration: 22 Jun 202124 Jun 2021

Publication series

NameIFIP Advances in Information and Communication Technology
ISSN (Print)1868-4238
ISSN (Electronic)1868-422X


Conference36th IFIP TC 11 International Conference 2021
Abbreviated titleSEC 2021


  • Anomaly detection
  • Ensembles
  • Insider threat
  • Machine learning

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management


Dive into the research topics of 'Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles'. Together they form a unique fingerprint.

Cite this