LAN: Learning Adaptive Neighbors for Real-Time Insider Threat Detection
CoRR(2024)
摘要
Enterprises and organizations are faced with potential threats from insider
employees that may lead to serious consequences. Previous studies on insider
threat detection (ITD) mainly focus on detecting abnormal users or abnormal
time periods (e.g., a week or a day). However, a user may have hundreds of
thousands of activities in the log, and even within a day there may exist
thousands of activities for a user, requiring a high investigation budget to
verify abnormal users or activities given the detection results. On the other
hand, existing works are mainly post-hoc methods rather than real-time
detection, which can not report insider threats in time before they cause loss.
In this paper, we conduct the first study towards real-time ITD at activity
level, and present a fine-grained and efficient framework LAN. Specifically,
LAN simultaneously learns the temporal dependencies within an activity sequence
and the relationships between activities across sequences with graph structure
learning. Moreover, to mitigate the data imbalance problem in ITD, we propose a
novel hybrid prediction loss, which integrates self-supervision signals from
normal activities and supervision signals from abnormal activities into a
unified loss for anomaly detection. We evaluate the performance of LAN on two
widely used datasets, i.e., CERT r4.2 and CERT r5.2. Extensive and comparative
experiments demonstrate the superiority of LAN, outperforming 9
state-of-the-art baselines by at least 9.92
on CERT r4.2 and r5.2, respectively. Moreover, LAN can be also applied to
post-hoc ITD, surpassing 8 competitive baselines by at least 7.70
AUC on two datasets. Finally, the ablation study, parameter analysis, and
compatibility analysis evaluate the impact of each module and hyper-parameter
in LAN. The source code can be obtained from https://github.com/Li1Neo/LAN.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要