A General and Expandable Insider Threat Detection System Using Baseline Anomaly Detection and Scenario-Driven Alarm Filters

摘要

The insider threat continues to be a paramount cyber security challenge that threatens individuals, financial enterprises and governmental organizations. To deter insider threats, the scenario-driven detection approach has been a hot topic. However, the technological limitations in practice severely constrain the scenario-driven detection effect in reality. Therefore we propose a new general and expandable insider threat detection system that divides the detection into two functional modules: the baseline anomaly detection module, which are competent with multiple attack-scenario detections based on multi-domain behavioral mode features with adaptive characteristics, and the scenario-driven alarm filter module based on time-based anomaly frequency degree(TAFD) and attack beginning analysis. The multi-domain behavioral mode features enable us to effectively identify the user's abnormal behavior in general feature extraction and classification organization without a specific scenario analysis, whereas the exemplary scenario-driven alarm filter based on the time-based anomaly frequency degree is used to distinguish benign anomaly and attack anomaly according to the frequency characteristics from the scenario analysis, besides a specific alarm filter based on attack beginning analysis. The experimental results illustrate the effectiveness and feasibility of the proposed general and expandable insider threat detection system, by showing satisfactory true positive rate(TPR) and low false positive rate(FPR) with reasonable hit and tradeoff rate for multiple attack scenarios. This work lays the foundation for a promising insider threat detection architecture that integrates multiple scenario-driven detections into a normative, flexible and effective modular system.