Identifying and Clustering Users for Unsupervised Intrusion Detection in Corporate Audit Sessions

Abstract

We address intrusion detection in audit sessions, focusing on masquerades and insider threats. Unsupervised intrusion detection can straightforwardly be addressed through supervised user identification. This allows us to simply model the normal behavior of users implicitly within any supervised classifier. However certain users can have very similar behavior as shown by their audit sessions, thus learning to distinguish them is meaningless and leads to false positives. To address this issue we propose a second method, which identifies user clusters instead of individual users. By discarding harmless alarms for users with similar sessions, a better trade-off between false positives and detection rate can be achieved. We evaluate both methods on real-world and synthetic corporate audit sessions: our methods outperform anomaly detection baselines for masquerade detection. Our results suggest that user identification is effective for masquerades, while insider threats should be detected differently.