Developing Novel Deep Learning Models to Detect Insider Threats and Comparing the Models from Different Perspectives

Bilişim Teknolojileri Dergisi Pub Date : 2024-01-16 DOI:10.17671/gazibtd.1386734

Yasin Görmez, Halil Arslan, Y. Işık, Veysel Gündüz

{"title":"Developing Novel Deep Learning Models to Detect Insider Threats and Comparing the Models from Different Perspectives","authors":"Yasin Görmez, Halil Arslan, Y. Işık, Veysel Gündüz","doi":"10.17671/gazibtd.1386734","DOIUrl":null,"url":null,"abstract":"Cybersecurity has become an increasingly vital concern for numerous institutions, organizations, and governments. Many studies have been carried out to prevent external attacks, but there are not enough studies to detect insider malicious actions. Given the damage inflicted by attacks from internal threats on corporate reputations and financial situations, the absence of work in this field is considered a significant disadvantage. In this study, several deep learning models using fully connected layer, convolutional neural network and long short-term memory were developed for user and entity behavior analysis. The hyper-parameters of the models were optimized using Bayesian optimization techniques. Experiments analysis were performed using the version 4.2 of Computer Emergency and Response Team Dataset. Two types of features, which are personal information and numerical features, were extracted with respect to daily activities of users. Dataset was divided with respect to user or role and experiment results showed that user based models have better performance than the role based models. In addition to this, the models that developed using long short-term memory were more accurate than the others. Accuracy, detection rate, f1-score, false discovery rate and negative predictive value were used as metrics to compare model performance fairly with state-of-the-art models. According the results of these metrics, our model obtained better scores than the state-of-the-art models and the performance improvements were statistically significant according to the two-tailed Z test. The study is anticipated to significantly contribute to the literature, as the deep learning approaches developed within its scope have not been previously employed in internal threat detection. Moreover, these approaches have demonstrated superior performance compared to previous studies.","PeriodicalId":345457,"journal":{"name":"Bilişim Teknolojileri Dergisi","volume":"39 2","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-01-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Bilişim Teknolojileri Dergisi","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.17671/gazibtd.1386734","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Cybersecurity has become an increasingly vital concern for numerous institutions, organizations, and governments. Many studies have been carried out to prevent external attacks, but there are not enough studies to detect insider malicious actions. Given the damage inflicted by attacks from internal threats on corporate reputations and financial situations, the absence of work in this field is considered a significant disadvantage. In this study, several deep learning models using fully connected layer, convolutional neural network and long short-term memory were developed for user and entity behavior analysis. The hyper-parameters of the models were optimized using Bayesian optimization techniques. Experiments analysis were performed using the version 4.2 of Computer Emergency and Response Team Dataset. Two types of features, which are personal information and numerical features, were extracted with respect to daily activities of users. Dataset was divided with respect to user or role and experiment results showed that user based models have better performance than the role based models. In addition to this, the models that developed using long short-term memory were more accurate than the others. Accuracy, detection rate, f1-score, false discovery rate and negative predictive value were used as metrics to compare model performance fairly with state-of-the-art models. According the results of these metrics, our model obtained better scores than the state-of-the-art models and the performance improvements were statistically significant according to the two-tailed Z test. The study is anticipated to significantly contribute to the literature, as the deep learning approaches developed within its scope have not been previously employed in internal threat detection. Moreover, these approaches have demonstrated superior performance compared to previous studies.

查看原文本刊更多论文

开发新型深度学习模型以检测内部威胁并从不同角度对模型进行比较

网络安全已成为众多机构、组织和政府日益关注的重要问题。针对预防外部攻击已经开展了许多研究，但针对检测内部恶意行为的研究还不够多。鉴于来自内部威胁的攻击对企业声誉和财务状况造成的损害，该领域工作的缺失被认为是一个重大劣势。本研究利用全连接层、卷积神经网络和长短期记忆开发了多个深度学习模型，用于用户和实体行为分析。模型的超参数使用贝叶斯优化技术进行了优化。实验分析使用了 4.2 版计算机应急和响应小组数据集。针对用户的日常活动提取了个人信息和数字特征两类特征。实验结果表明，基于用户的模型比基于角色的模型性能更好。此外，利用长短期记忆开发的模型也比其他模型更准确。准确率、检测率、f1-分数、误发现率和负预测值被用作与最先进模型进行公平比较的指标。根据这些指标的结果，我们的模型比最先进的模型获得了更好的分数，而且根据双尾 Z 检验，性能的提高在统计学上是显著的。这项研究预计将对文献做出重大贡献，因为在其范围内开发的深度学习方法以前从未用于内部威胁检测。此外，与之前的研究相比，这些方法表现出了卓越的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Bilişim Teknolojileri Dergisi

自引率

0.00%

发文量