Browse > Article
http://dx.doi.org/10.13089/JKIISC.2022.32.2.267

Malicious Insider Detection Using Boosting Ensemble Methods  

Park, Suyun (School of Cybersecurity, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.32, no.2, 2022 , pp. 267-277 More about this Journal
Abstract
Due to the increasing proportion of cloud and remote working environments, various information security incidents are occurring. Insider threats have emerged as a major issue, with cases in which corporate insiders attempting to leak confidential data by accessing it remotely. In response, insider threat detection approaches based on machine learning have been developed. However, existing machine learning methods used to detect insider threats do not take biases and variances into account, which leads to limited performance. In this paper, boosting-type ensemble learning algorithms are applied to verify the performance of malicious insider detection, conduct a close analysis, and even consider the imbalance in datasets to determine the final result. Through experiments, we show that using ensemble learning achieves similar or higher accuracy to other existing malicious insider detection approaches while considering bias-variance tradeoff. The experimental results show that ensemble learning using bagging and boosting methods reached an accuracy of over 98%, which improves malicious insider detection performance by 5.62% compared to the average accuracy of single learning models used.
Keywords
Network intrusion detection; Ensemble learning; Malicious insider; Insider threat detection; Machine learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 R. Nasir, M. Afzal, R. Latif, and W. Iqabl, "Behavioral Based Insider Threat Detection Using Deep Learning," IEEE Access, vol. 9, pp. 143266-143274, Oct. 2021.   DOI
2 A. Khan, R. Latif, S. Latif, S. Tahir, G. Batool, and T. Saba, "Malicious Insider Attack Detection in IoTs Using Data Analytics," IEEE Access, vol. 8, pp. 11743-11753, Dec. 2019.   DOI
3 D.C. Le, N. Zincir-Heywood, and M.I. Heywood, "Analyzing Data Granularity Levels for Insider Threat Detection Using Machine Learning," IEEE Transactions on Network and Service Management, vol. 17, no. 1, pp. 30-44, Mar. 2020.   DOI
4 H. Bian, T. Bai, M.A. Salahuddin, N. Limam, A.A. Daya, and R. Boutaba, "Uncovering Lateral Movement Using Authentication Logs," IEEE Transactions on Network and Service Management, vol. 18, no. 1, pp. 1049-1063, Mar. 2021.   DOI
5 Software Engineering Institute, Carnegie Mellon University, "CERT Insider Threat Test Dataset" https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099, Accessed: 20 Sept. 2021.
6 G. Kaiafas, G. Varisteas, S. Lagraa, R. State, C.D. Nguyen, T. Ries, and M. Ourdane, "Detecting Malicious Authentication Events Trustfully," Proceedings of the 2018 IEEE/IFIP Network Operations and Management Symposium, pp. 1-6, Apr. 2018.
7 T. Yang, Y. Lin, C. Wu, and C. Wang, "Voting-Based Ensemble Model for Network Anomaly Detection," Proceedings of the 2021 IEEE International Conference on Acoustics, Speech and Signal Processing, pp. 8543-8547, Jun. 2021.
8 B.A. Tama, M. Comuzzi, and K. Rhee, "TSE-IDS: A Two-Stage Classifier Ensemble for Intelligent Anomaly-Based Intrusion Detection System," IEEE Access, vol. 7, pp. 94497-94507, Jul. 2019.   DOI
9 P. Domingos, " Unified Bias-Variance Decomposition and its Applications," Proceedings of the 17th International Conference on Machine Learning, pp. 231-238, Jun. 2000.
10 Scott Fortmann-Roe, "Understanding the Bias-Variance Tradeoff" http://scott.fortmann-roe.com/docs/BiasVariance.html, Accessed: 31 Nov. 2021.
11 scikit-learn, "Machine Learning in Python" https://scikit-learn.org/stable, Accessed: 31 Oct. 2021.
12 G.E. Batista, A.L.C. Bazzan, and M. Monard, "Balancing Training Data for Automated Annotation of Keywords: a Case Study," Proceedings of the 2nd Brazilian Workshop on Bioinformatics, pp. 35-43, Jan. 2003.
13 D.C. Le and A.N. Zincir-Heywood, "Machine learning based Insider Threat Modelling and Detection," Proceedings of the 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, pp. 1-6, Apr. 2019.
14 N.V. Chawla, K.W. Bowyer, L.O. Hall, and W.P. Kegelmeyer, "SMOTE: synthetic minority over-sampling technique," Journal of Artificial Intelligence Research, vol. 16, no.1, pp. 321-357, Jun. 2002.   DOI
15 H. He, Y. Bai, E.A. Garcia, and S. Li, "ADASYN: Adaptive synthetic sampling approach for imbalanced learning," Proceedings of the IEEE International Joint Conference on Neural Networks, pp. 1322-1328, Jul. 2008.
16 Gurucul, "2021 Insider Threat Report" https://gurucul.com/2021-insider-threat-report, Accessed: 25 Oct. 2021.
17 D.C. Le and N. Zincir-Heywood, "Anomaly Detection for Insider Threats Using Unsupervised Ensembles," IEEE Transactions on Network and Service Management, vol. 18, no. 2, pp. 1152-1164, Jun. 2021.   DOI
18 Scikit-learn, "6.3. Preprocessing data" https://scikit-learn.org/stable/modules/preprocessing.html, Accessed: 30 Oct. 2021.
19 J. Jiang, J. Chen, T. Gu, K.R. Choo, C. Liu, M. Yu, W. Huang, and P. Mohapatra, "Anomaly Detection with Graph Convolutional Networks for Insider Threat and Fraud Detection," Proceedings of the 2019 IEEE Military Communications Conference, pp. 109-114, Nov. 2019.