GraphCH: A Deep Framework for Assessing Cyber-Human Aspects in Insider Threat Detection
Pages 4495 - 4509
Abstract
Insider threat is one of the most damaging cyber attacks that could cause the loss of intellectual property and enterprise data security breaches. Action sequence data such as host logs are used to investigate such threats and develop anomaly-based AI detectors. However, insider threat actions are similar to legitimate user activities, causing AI detectors to fail and suffer from high false alarm rates. Therefore, user cyber activity logs are inadequate to fully unfold insider threats. In this study, we adopt human psychological principles of risk-taking and impulsiveness along with host data to assess the influence and usefulness of human behavioral aspects in insider threat detection. We hypothesize that individuals’ impulsive and risk-taking behavior correlates with cyberspace activities. To validate our hypothesis, we conducted an IRB-approved study recruiting 35 participants who work in a large U.S. university and collected their cyber and psychological data for 90 days. Host and human-behavioral data analysis and mapping indicate that impulsive and risk-taking users trigger more system errors causing (un)intentional insider threats and are susceptible to attackers’ social engineering and cognitive hacking. Utilizing cyber-human aspects, we introduce a Cyber-Human Graph Neural Network (GNN) based framework <italic>GraphCH</italic> to identify abnormal user behaviors and detect insider threats.
References
[1]
Meritalk, “The 2017 federal insider threat report,” 2017. [Online]. Available: https://www.meritalk.com/study/inside-job-the-sequel/
[2]
C. R. Partners, “The 2018 insider threat report,” 2018. [Online]. Available: https://crowdresearchpartners.com/insider-threat-report/
[3]
C. D. o. S.-C. K. CSO, U.S. Secret Service, “The 2018 U.S. state of cybercrime survey,” 2018. [Online]. Available: https://www.idg.com/tools-for-marketers/2018-u-s-state-of-cybercrime/
[4]
I. Ponemon Institute, Observe IT, “Cost of insider threats: Global report 2020,” 2020. [Online]. Available: https://www.ibm.com/security/digital-assets/services/cost-of-insider-threats/#/
[5]
Q. Ma and N. Rastogi, “DANTE: Predicting insider threat using LSTM on system logs,” in Proc. IEEE 19th Int. Conf. Trust Secur. Privacy Comput. Commun., 2020, pp. 1151–1156.
[6]
D. C. Le, N. Zincir-Heywood, and M. Heywood, “Training regime influences to semi-supervised learning for insider threat detection,” in Proc. IEEE Secur. Privacy Workshops, 2021, pp. 13–18.
[7]
B. Schneier, Secrets and Lies: Digital Security in a Networked World. Hoboken, NJ, USA: Wiley, 2015.
[8]
T. F. Stafford, “Platform-dependent computer security complacency: The unrecognized insider threat,” IEEE Trans. Eng. Manag., vol. 69, no. 6, pp. 3814–3825, Dec. 2022.
[9]
F. L. Greitzer and R. E. Hohimer, “Modeling human behavior to anticipate insider attacks,” J. Strategic Secur., vol. 4, no. 2, pp. 25–48, 2011.
[10]
F. Liu, Y. Wen, D. Zhang, X. Jiang, X. Xing, and D. Meng, “Log2vec: A heterogeneous graph embedding based approach for detecting cyber threats within enterprise,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur., 2019, pp. 1777–1794.
[11]
Y. Zhu et al., “Modeling users’ behavior sequences with hierarchical explainable network for cross-domain fraud detection,” in Proc. Web Conf., 2020, pp. 928–938.
[12]
P. Harms, A. Marbut, A. C. Johnston, P. Lester, and T. Fezzey, “Exposing the darkness within: A review of dark personality traits, models, and measures and their relationship to insider threats,” J. Inf. Secur. Appl., vol. 71, 2022, Art. no.
[13]
C. W. Lejuez et al., “Evaluation of a behavioral measure of risk taking: The balloon analogue risk task (BART),” J. Exp. Psychol.: Appl., vol. 8, no. 2, pp. 75–84, 2002.
[14]
G. J. Silowash, D. M. Cappelli, A. P. Moore, R. F. Trzeciak, T. Shimeall, and L. Flynn, “Common sense guide to mitigating insider threats,” 2012.
[15]
Windows logging service, 2019. [Online]. Available: https://www.federallabs.org/successes/success-stories/windows-logging-service
[16]
C. Insiders, “2020 insider threat report,” 2020. [Online]. Available: https://www.cybersecurity-insiders.com/wp-content/uploads/2019/11/2020-Insider-Threat-Report-Gurucul.pdf
[17]
L. Lin, S. Zhong, C. Jia, and K. Chen, “Insider threat detection based on deep belief network feature representation,” in Proc. Int. Conf. Green Informat., 2017, pp. 54–59.
[18]
S. Yuan, P. Zheng, X. Wu, and Q. Li, “Insider threat detection via hierarchical neural temporal point processes,” in Proc. IEEE Int. Conf. Big Data, 2019, pp. 1343–1350.
[19]
S. Yuan and X. Wu, “Deep learning for insider threat detection: Review, challenges and opportunities,” Comput. Secur., vol. 104, 2021, Art. no.
[20]
F. Yuan, Y. Cao, Y. Shang, Y. Liu, J. Tan, and B. Fang, “Insider threat detection with deep neural network,” in Proc. 18th Int. Conf. Comput. Sci., Wuxi, China, Springer, 2018, pp. 43–54.
[21]
H. Eldardiry, E. Bart, J. Liu, J. Hanley, B. Price, and O. Brdiczka, “Multi-domain information fusion for insider threat detection,” in Proc. IEEE Secur. Privacy Workshops, 2013, pp. 45–51.
[22]
K. J. Ferguson-Walter, M. M. Major, C. K. Johnson, and D. H. Muhleman, “Examining the efficacy of decoy-based and psychological cyber deception,” in Proc. 30th USENIX Secur. Symp., 2021, pp. 1127–1144.
[23]
D. Ackerman and H. Mehrpouyan, “Modeling human behavior to anticipate insider attacks via system dynamics,” in Proc. Symp. Theory Model. Simul., 2016, pp. 1–6.
[24]
A. Beutel, L. Akoglu, and C. Faloutsos, “Fraud detection through graph-based user behavior modeling,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., 2015, pp. 1696–1697.
[25]
A. Gamachchi, L. Sun, and S. Boztas, “A graph based framework for malicious insider threat detection,” 2018,.
[26]
K. Berlin, D. Slater, and J. Saxe, “Malicious behavior detection using windows audit logs,” in Proc. 8th ACM Workshop Artif. Intell. Secur., 2015, pp. 35–44.
[27]
J. Wang et al., “Learning correlation graph and anomalous employee behavior for insider threat detection,” in Proc. 21st Int. Conf. Inf. Fusion, 2018, pp. 1–7.
[28]
A. Gamachchi and S. Boztas, “Insider threat detection through attributed graph clustering,” in Proc. IEEE Trustcom/BigDataSE/ICESS, 2017, pp. 112–119.
[29]
P. Cui, X. Wang, J. Pei, and W. Zhu, “A survey on network embedding,” IEEE Trans. Knowl. Data Eng., vol. 31, no. 5, pp. 833–852, May 2019.
[30]
Y. Dong, N. V. Chawla, and A. Swami, “metapath2vec: Scalable representation learning for heterogeneous networks,” in Proc. 23rd ACM SIGKDD Int. Conf. Knowl. Discov. Data Mining, 2017, pp. 135–144.
[31]
A. Grover and J. Leskovec, “node2vec: Scalable feature learning for networks,” in Proc. 22nd ACM SIGKDD Int. Conf. Knowl. Discov. Data Mining, 2016, pp. 855–864.
[32]
B. Perozzi, R. Al-Rfou, and S. Skiena, “DeepWalk: Online learning of social representations,” in Proc. 20th ACM SIGKDD Int. Conf. Knowl. Discov. Data Mining, 2014, pp. 701–710.
[33]
J. Tang, M. Qu, M. Wang, M. Zhang, J. Yan, and Q. Mei, “LINE: Large-scale information network embedding,” in Proc. 24th Int. Conf. World Wide Web, 2015, pp. 1067–1077.
[34]
W. Hamilton, Z. Ying, and J. Leskovec, “Inductive representation learning on large graphs,” in Proc. Adv. Neural Inf. Process. Syst., 2017, pp. 1024–1034.
[35]
P. Veličković, G. Cucurull, A. Casanova, A. Romero, P. Lio, and Y. Bengio, “Graph attention networks,” 2017,.
[36]
C. Zhang, D. Song, C. Huang, A. Swami, and N. V. Chawla, “Heterogeneous graph neural network,” in Proc. 25th ACM SIGKDD Int. Conf. Knowl. Discov. Data Mining, 2019, pp. 793–803.
[37]
Z. Liu, C. Chen, X. Yang, J. Zhou, X. Li, and L. Song, “Heterogeneous graph neural networks for malicious account detection,” in Proc. 27th ACM Int. Conf. Inf. Knowl. Manage., 2018, pp. 2077–2085.
[38]
K. C. Roy, “Towards modeling host-based data for cyber-psychological assessment in cyber threat detection,” Ph.D. dissertation. Univ. Texas San Antonio, 2022.
[39]
K. C. Roy and Q. Chen, “DeepRan: Attention-based BiLSTM and CRF for ransomware early detection and classifcation,” Inf. Syst. Front., vol. 23, pp. 1–17, 2021.
[40]
Q. Chen, P. Romanowich, J. Castillo, K. C. Roy, G. Chavez, and S. Xu, “ExHPD: Exploiting human, physical and driving behaviors to detect vehicle cyber attacks,” IEEE Internet of Things J., vol. 8, no. 18, pp. 14355–14371, Sep. 2021.
[41]
M. J. Turcotte, A. D. Kent, and C. Hash, “Unified host and network data set,” 2017,.
[42]
A. D. Kent, “Cyber security data sources for dynamic network research,” in Dynamic Networks and Cyber-Security, Singapore: World Scientific, 2016, pp. 37–65.
[43]
B. Lindauer, “Insider threat test dataset,” vol. 10, Carnegie Mellon University, Pittsburgh, PA, USA, 2020, pp. R1.
[44]
E. Acquesta et al., “Detailed statistical models of host-based data for detection of malicious activity,” Sandia National Lab. (SNL-NM), Albuquerque, NM (United States), Tech. Rep. SAND2019-12011, 2019.
[45]
K. N. Kirby, N. M. Petry, and W. K. Bickel, “Heroin addicts have higher discount rates for delayed rewards than non-drug-using controls,” J. Exp. Psychol.: Gen., vol. 128, no. 1, pp. 78–87, 1999.
[46]
Qualtrics, 2020. [Online]. Available: https://www.qualtrics.com/lp/survey-platform/
[47]
K. B. D. L. Mora and Q. Chen, “Bart game,” 2020. [Online]. Available: bart.kbarbora.com
[48]
X. Wang et al., “Heterogeneous graph attention network,” in Proc. World Wide Web Conf., 2019, pp. 2022–2032.
[49]
Q. Chen and R. A. Bridges, “Automated behavioral analysis of malware: A case study of wannacry ransomware,” in Proc. IEEE 16th Int. Conf. Mach. Learn. Appl., 2017, pp. 454–460.
[50]
Q. Chen, S. R. Islam, H. Haswell, and R. A. Bridges, “Automated ransomware behavior analysis: Pattern extraction and early detection,” in Proc. Int. Conf. Sci. Cyber Secur., Springer, 2019, pp. 199–214.
[51]
PyTorch: From research to production, 2020. [Online]. Available: https://pytorch.org/
Index Terms
- GraphCH: A Deep Framework for Assessing Cyber-Human Aspects in Insider Threat Detection
Index terms have been assigned to the content through auto-classification.
Recommendations
Combating the Insider Cyber Threat
Organizations must implement effective training to raise staff awareness about insider threats and the need for organizations to adopt a more effective approach to identifying potential risks and then taking proactive steps to mitigate them.
A new intelligent multilayer framework for insider threat detection
Highlights- Proposes a new intelligent multilayers framework for selecting the best insider threat detection models and hybrid detection system for insider threat.
AbstractIn several earlier studies, machine learning (ML) has been widely used for building insider threat detection systems. However, the selection of the most appropriate ML classification model for insider threats detection remains a ...
Graphical abstract.
Display Omitted
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
1545-5971 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Computer Society Press
Washington, DC, United States
Publication History
Published: 15 January 2024
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 11 Dec 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in