Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles

Filip Bartoszewski, Mike Just, Michael Adam Lones, Oleksii Mandrychenko

Research output: Chapter in Book/Report/Conference proceedingConference contribution

52 Downloads (Pure)

Abstract

Insider threat detection is challenging due to the wide variety of possible attacks and the limited availability of real threat data for testing. Most previous anomaly detection studies have relied on synthetic threat data, such as the CERT insider threat dataset. However, several previous studies have used models that arguably introduce bias, such as the selective use of metrics, and reusing the same dataset with the prior knowledge of the answer labels. In this paper, we create and test a host of models following some guidelines of good conduct to produce what we believe to be a more objective comparison of these models. Our results indicate that majority voting ensembles are a simple and cost-effective way of boosting the quality of results from individual machine learning models, both on the CERT data and on a version augmented with additional attacks. We include a comparison of models with their hyperparameters optimized for different target metrics.
Original languageEnglish
Title of host publicationICT Systems Security and Privacy Protection. SEC 2021
EditorsAudun Jøsang, Lynn Futcher, Janne Hagen
PublisherSpringer
Pages367-381
Number of pages15
ISBN (Electronic)9783-030781200
ISBN (Print)9783030781194
DOIs
Publication statusPublished - 15 Jun 2021
Event36th IFIP TC 11 International Conference 2021 - Oslo, Norway
Duration: 22 Jun 202124 Jun 2021

Publication series

NameIFIP Advances in Information and Communication Technology
Volume625
ISSN (Print)1868-4238
ISSN (Electronic)1868-422X

Conference

Conference36th IFIP TC 11 International Conference 2021
Abbreviated titleSEC 2021
Country/TerritoryNorway
CityOslo
Period22/06/2124/06/21

Keywords

  • Anomaly detection
  • Ensembles
  • Insider threat
  • Machine learning

ASJC Scopus subject areas

  • Information Systems
  • Computer Networks and Communications
  • Information Systems and Management

Fingerprint

Dive into the research topics of 'Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles'. Together they form a unique fingerprint.

Cite this