A Graph Convolution Neural Network Based Method for Insider Threat Detection.

In this research, we propose Log2Graph, a new insider threat detection method based on graph convolution neural network (GCN). This method first retrieves the corresponding logs and features from log files through feature extraction. Specifically, we use an auxiliary feature of anomaly index to describe relationship between entities, such as users and hosts, instead of establish complex connections between them. Second, these logs and features are augmented through a combination of oversampling and downsampling, to prepare for the next-stage supervised learning process. Third, we use three elaborated rules to construct the graph of each user by connecting the logs according to chronological and logical relationship. At last, the graph convolution neural network constructed is used to detect insider threats. Our validation and evaluation results confirm that Log2Graph can greatly improve the performance of detecting insider threats compared against baseline and existing methods.