Temporal feature aggregation with attention for insider threat detection from activity logs.

Nowadays, insider attacks are emerging as one of the top cybersecurity threats. However, the detection of insider threats is a more arduous task for many reasons. A significant cause is the availability of various data types related to insider activities and their possible behavioral drift. Another major reason is that threat activities rarely happen within any organizational environment and usually remain submerged within a massive amount of normal activities thereby creating data imbalance issues. Any insider threat event requires three major components to get materialized: proper motivation, suitable opportunity and a minimum skill set. The simultaneous occurrence of all these elements is rarely found in organizational environment compared to regular activity traits, and the data imbalance thus caused makes accurate detection of threat activities quite challenging. Existing insider threat detection techniques are mainly divided into statistical rule-based, machine learning-based, and deep learning-based methods. Although recent deep learning methods have been found to extract intrinsic behavioral properties from users' activity patterns more effectively than traditional rule-based and machine-learning methods by utilizing their multilayer architecture. But sporadic approaches prioritize critical sections of activity patterns in their detection scheme. Also, rare methods focused on taking advantage of multiple deep learning-based feature extraction models together in their detection process. Finally, rare methods have adequately focused on data imbalance issues, especially over the unequal proportion of different categories of threat instances. In this paper, we proposed an insider threat detection approach using an ensemble of stacked-LSTM and stacked-GRU-based attention models. Our models are first trained on the user's single-day sequential activity logs. Then a stacked ensemble of trained attention models is used to extract the user's single-day activity information in the form of the feature vector, which is finally used for classification. To address the data imbalance issues, we propose a new equally-weighted random sampling approach for balancing the population of the different categories of threat patterns. We randomly undersample the nonmalicious instances followed by random oversampling of the different categories of threat instances in an equally-weighted manner so that the training models can learn the behavioral characteristics of the different types of insider activity patterns without getting biased towards any particular type, which is a major limitation of random oversampling and random undersampling-based techniques. Experiments have been performed on the different versions of the CMU CERT insider threat datasets. For robust evaluation, stratified division-based train-test sets have been used based on different categories of insider activities. An average AUC of 0.99 on CMU CERT v4.2 and v5.2 datasets and 0.97 on its v6.2 dataset shows the robustness of the proposed approach in detecting insider threats. • Stacked ensemble of attention models-based insider threat detection approach. • Broad categorization of user activity improves insider threat detection process. • Equally weighted random sampling (EWRS) technique used for handling data imbalance. • Stratified division of insider threat dataset is used for evaluation purpose. • AUC score of 0.99 achieved on CMU CERT v4.2, v5.2 and 0.97 on v6.2 datasets. [ABSTRACT FROM AUTHOR]