Detecting Malicious Insider Threats through Anomaly-Based User Behaviour Analytics in Enterprise Networks: Machine Learning Approach

Idris Ibraheem; Adepoju Temilola Morufat; Samuel Kwabla Segbefia; Ahmed Abiodun Abdulrasaq

doi:10.25159/3005-4222/18099

Authors

Idris Ibraheem Al-Hikmah University https://orcid.org/0009-0002-3677-2478
Adepoju Temilola Morufat Federal Polytechnic Ayede
Samuel Kwabla Segbefia University of Cape Coast
Ahmed Abiodun Abdulrasaq Al-Hikmah University

DOI:

https://doi.org/10.25159/3005-4222/18099

Keywords:

malicious insider, machine learning, User Behaviour Analytics

Abstract

Detecting malicious insider threats within enterprise networks is essential for robust cybersecurity. Insiders with authorised access present significant risks that traditional security measures often fail to address. This paper explores the application of anomaly-based User Behavior Analytics (UBA) to identify these threats by examining a comprehensive dataset of user activities. The study assesses the performance of three machine learning models: Isolation Forest, One-Class SVM, and Autoencoder. Rigorous evaluation demonstrates the Autoencoder model’s superior performance compared to other models, as evidenced by higher precision, recall, F1-score, and ROC-AUC metrics. These findings underscore the Autoencoder’s effectiveness in accurately detecting insider threats, highlighting its potential as a valuable tool in enhancing enterprise network security. The results indicate that leveraging anomaly-based UBA with advanced machine learning techniques can significantly improve the detection and mitigation of insider threats, providing a more proactive and efficient approach to safeguarding sensitive information within organisations.

References

Al Mansur, A., and T. Zaman. 2023. "User Behavior Analytics in Advanced Persistent Threats: A Comprehensive Review of Detection and Mitigation Strategies." In 2023 7th International Symposium on Innovative Approaches in Smart Technologies (ISAS) (pp. 1-6). IEEE. DOI:

https://doi.org/10.1109/ISAS60782.2023.10391553

Cappelli, D, A Moore, and R Trzeciak. 2012. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). Addison-Wesley. https://insights.sei.cmu.edu/library/cert-insider-threat-center/

Desetty, A. G. 2024. "Unveiling Hidden Threats with ML-Powered User and Entity Behavior Analytics (UEBA)." Turkish Journal of Computer and Mathematics Education (TURCOMAT) 15(1): 44-50. https://doi.org/10.61841/turcomat.v15i1.14394

Diraco, G., A. Leone, A. Caroppo, and P. Siciliano. 2019. "Deep Learning and Machine Learning Techniques for Change Detection in Behavior Monitoring." AI*AAL@AI*IA.

Harms, P. D., A. Marbut, A.C. Johnston, P. Lester, and T. Fezzey. 2022. "Exposing the Darkness Within: A Review of Dark Personality Traits, Models, and Measures and their Relationship to Insider Threats." Journal of Information Security and Applications 71: 103378. https://doi.org/10.1016/j.jisa.2022.103378

Kim, J., Park, M., Kim, H., Cho, S., and Kang, P. 2019. "Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms." Applied Sciences 9(19): 4018.

https://doi.org/10.3390/app9194018

Kumar, V, D Sinha, A. K. Das, S. C. Pandey, and R. T. Goswami. 2020. "An Integrated Rule-Based Intrusion Detection System: Analysis on UNSW-NB15 Data Set and the Real-Time Online Dataset." Cluster Computing 23: 1397-1418. https://doi.org/10.1007/s10586-019-03008-x

Li, S. C., Y. Chen, and Y. Huang. 2021. "Examining Compliance with Personal Data Protection Regulations in Interorganizational Data Analysis." Sustainability 13(20): 11459. https://doi.org/10.3390/su132011459

Moore, A.P., McIntire, D.M., Mundie, D.A., and D. Zubrow. 2012. "The Justification of a Pattern for Detecting Intellectual Property Theft by Departing Insiders." Software Engineering Institute.

https://doi.org/10.21236/ADA585504

Nazir S, S. Patel, and D. Patel. 2021. "Autoencoder Based Anomaly Detection for SCADA Networks." International Journal of Artificial Intelligence and Machine Learning (IJAIML).

https://doi.org/10.4018/IJAIML.20210701.oa6

Poh, J. P., J.Y.C. Lee, K.X. Tan, and E. Tan. 2020. "Physical Access Log Analysis: An Unsupervised Clustering Approach for Anomaly Detection." In Proceedings of the 3rd International Conference on Data Science and Information Technology (pp. 12-18). https://doi.org/10.1145/3414274.3414285

Renaudet K, M. Warkentin, G. Pogrebna, and K. van der Schyff. 2024. VISTA: An Inclusive Insider Threat Taxonomy, with Mitigation Strategies." Information and Management. 61(1):103877. https://doi.org/10.1016/j.im.2023.103877

Song, S., N. Gao, and Y. Zhang. 2024. "BRITD: Behavior Rhythm Insider Threat Detection with Time Awareness and User Adaptation." Cybersecurity 7: 2. https://doi.org/10.1186/s42400-023-00190-9

Song, Y., and J. Yuan. 2024. "Insider Threat Detection Based on User and Entity Behavior Analysis with a Hybrid Model." In International Conference on Information Security. October. (pp. 323-340). Cham: Springer Nature Switzerland.

https://doi.org/10.1007/978-3-031-75764-8_17

Villarreal-Vasquez, A. Miguel. 2020. "Anomaly Detection and Security Deep Learning Methods Under Adversarial Situation." ProQuest Dissertations and Theses, 2020. Purdue University 2020. 30503341. https://www.proquest.com/docview/2827702325

Yuan, Y., Y. Huang, Y. Yuan, and J. Wang. 2024. "Dynamic Threshold-based Two-layer Online Unsupervised Anomaly Detector." arXiv preprint arXiv:2410.22967. https://doi.org/10.48550/arXiv.2410.22967

Zewdie, M., A. Girma, and T.M. Sitote, 2024. "Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks." International Conference on Electrical, Computer, and Energy Technologies, ICECET 2024, 1-8. https://doi.org/10.1109/ICECET61485.2024.10698519