Graph Intelligence Enhanced Bi-Channel Insider Threat Detection

• Published in: Network and System Security Vol. 13787; pp. 86 - 102
• Main Authors: Hong, Wei, Yin, Jiao, You, Mingshan, Wang, Hua, Cao, Jinli, Li, Jianxin, Liu, Ming
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer 2022; Springer Nature Switzerland
• Series: Lecture Notes in Computer Science
• Subjects: Graph neural networks; Insider threat; Supervised learning; Topological feature
• ISBN: 9783031230196; 3031230191
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-031-23020-2_5

For an organization, insider intrusion generally poses far more detrimental threats than outsider intrusion. Traditionally, insider threat is detected by analyzing logged user behaviours and then establishing a binary classifier to distinguish malicious ones. However, most approaches consider user behaviour in an isolated manner, inevitably missing the background information from organizational connections such as a shared supervisor or e-mail interactions. Consequently, the performance of those existing works still has the potential to be enhanced. In this paper, we propose a bi-channel insider threat detection (B-CITD) framework enhanced by graph intelligence to improve the overall performance of existing methods. Firstly, We extract behavioural features from a series of log files as the inner-user channel features. Secondly, we construct an organizational connection graph and extract topological features through a graph neural networks (GNN) model as the inter-user channel features. In the end, the features from inner-user and inter-user channels are combined together to perform an insider threat detection task through a binary classification model. Experimental results on an open-sourced CERT 4.2 dataset show that B-CITD can enhance the performance of insider threat detection by a large margin, compared with using features only from inner-user or inter-user channels. We published our code on GitHub: https://github.com/Wayne-on-the-road/B-CITD.