UAG: User Action Graph Based on System Logs for Insider Threat Detection.

Insider threats pose significant risks to the network systems of organizations. Users have diverse behavioral habits within an organization, leading to variations in their activity patterns. Hence, data analysis and mining techniques are essential for modeling user behavior. Current methods analyze system logs and extract user action sequence features; however, they overlook the relationships between different actions, reducing detection accuracy. To address this issue, we propose a novel method called UAG (User Action Graph). UAG transforms user actions into a graph representing their chronological order and interrelationships, facilitating a more accurate and comprehensive understanding of user behavior. By extracting global and local features from the user action graph, UAG offers an extensive and detailed perspective of user behaviors. Ultimately, we develop a lightweight ensemble autoencoder model to detect insider threats. Comprehensive experiments demonstrate that UAG delivers outstanding performance and surpasses existing methods.