Doc2vec-Based Insider Threat Detection through Behaviour Analysis of Multi-source Security Logs

Since insider attacks have been recognised as one of the most critical cyber security threats to an organisation, detection of malicious insiders has received increasing attention in recent years. Previously, we proposed an approach that performs the detection by analysing various security logs with Word2vec, which not only removes the reliance on prior knowledge but also greatly simplifies the process of decision making and improves the interpretability of the alerts. In this paper, following the similar idea, a new Doc2vec based approach is proposed to overcome the previous approach's limitations: (1) the behaviour metrics can be acquired straightforwardly due to the Doc2vec's capability in inferring unseen texts of any length; (2) other than the temporal metrics, some spatial metrics can also be realised, providing a more comprehensive insight into the unusual behaviours; and (3) a range of corpora are produced by adopting different keywords to aggregate, each of which may be suited to a specific type of behaviour metrics. A large number of numerical experiments are conducted using the same benchmark insider threat database, for the purpose of testing how the corpora, metric and training parameters impact on the performance and be related to each other. The experiments demonstrate that the proposed approach can achieve a similar performance with greater simplicity and flexibility.