BS-Net: A Behavior Sequence Network for Insider Threat Detection

Abstract

In view of the concealment and destructiveness of insider threats, to detect insider threats is very important for protecting the security of enterprises and organizations. However, it is still a challenge to design a practical detection scheme which can accurately mine abnormal clues and has a high level of automation. In this paper, we propose the Behavior Sequence Network (BS-Net) which applies the one-class support vector machine and the recurrent neural network to the insider threat detection problem. The BS-Net is a detection framework based on user behavior portrait that learns representative features from the raw log data and then makes discrimination by a unified standard. Through a flow sequence division method, the original data flow is divided into short sequences. After behavior feature extraction and sequence matching, behavior sequences are sent into two anomaly detection models to analyze the occurrence possibility of behaviors from local detail features and the global dependence relationship between businesses respectively. We conduct experiments based on the CERT dataset and the results show that BS-Net achieves an excellent performance (recall rate of 0.94, accuracy of 0.94, and FPR of 0.12) and outperforms the state-of-the-art methods.