Unsupervised Learning Based Approach for Insider Threat Analysis

Insider threat is one of the most damaging security threats to the safety of data, systems, and intellectual property of institutions. Typical threats caused by malicious insiders are trade secrets / intellectual property theft, disclosure of classified information, theft of personal information and system sabotage. Malicious actions of insider threats are performed by authorized personnel of organizations, which may be familiar with the organizational structure, valued properties, and security layers. Given that a malicious insider is authorized to access the organization’s systems and networks, other challenges appear in this detection problem as well. One of them is that data describing insider threat activities is typically rare and poorly documented. Thus, detecting and mitigating insider threats represent a major cybersecurity challenge to any organization. In summary, the challenges in insider threat detection include unbalanced data, limited ground truth, and possible user behaviour changes. This project aims to design an unsupervised learning-based approach for insider threat detection. Our goal is to employ unsupervised learning algorithms with different working principles, such as Autoencoder and Isolation Forest. Furthermore, we will explore various representations of data with temporal information and compare our approach to other work in the literature to analyze its effectiveness and generalizability.

Duc Le
Faculty Supervisor: 
Nur Zincir-Heywood
Nova Scotia
Partner University: