LaAeb: A comprehensive log-text analysis based approach for insider threat detection

IF 4.8 2区 计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS
Kexiong Fei , Jiang Zhou , Yucan Zhou , Xiaoyan Gu , Haihui Fan , Bo Li , Weiping Wang , Yong Chen
{"title":"LaAeb: A comprehensive log-text analysis based approach for insider threat detection","authors":"Kexiong Fei ,&nbsp;Jiang Zhou ,&nbsp;Yucan Zhou ,&nbsp;Xiaoyan Gu ,&nbsp;Haihui Fan ,&nbsp;Bo Li ,&nbsp;Weiping Wang ,&nbsp;Yong Chen","doi":"10.1016/j.cose.2024.104126","DOIUrl":null,"url":null,"abstract":"<div><div>Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency.</div><div>We propose <span>LaAeb</span>, a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including <em>attention</em>, <em>emotion</em>, and <em>behavior anomaly</em>. The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees’ daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, <span>LaAeb</span> employs anomaly detection algorithm like Isolation Forest to analyze an employee’s malicious operations, and further detects the employee’s behavior anomaly by considering all employees’ acts in the same department. Finally, <span>LaAeb</span> consolidates detection results of three patterns indicative of insider threats in a comprehensive manner.</div><div>We implement the prototype of <span>LaAeb</span> and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, <span>LaAeb</span> reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC <span><math><mrow><mo>(</mo><mn>0</mn><mo>.</mo><mn>93</mn><mo>)</mo></mrow></math></span>, and gets the best AUC <span><math><mrow><mo>(</mo><mn>0</mn><mo>.</mo><mn>97</mn><mo>)</mo></mrow></math></span> with 0.06 higher value on LANL dataset.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104126"},"PeriodicalIF":4.8000,"publicationDate":"2024-09-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004310","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency.
We propose LaAeb, a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including attention, emotion, and behavior anomaly. The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees’ daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, LaAeb employs anomaly detection algorithm like Isolation Forest to analyze an employee’s malicious operations, and further detects the employee’s behavior anomaly by considering all employees’ acts in the same department. Finally, LaAeb consolidates detection results of three patterns indicative of insider threats in a comprehensive manner.
We implement the prototype of LaAeb and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, LaAeb reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC (0.93), and gets the best AUC (0.97) with 0.06 higher value on LANL dataset.
LaAeb:基于日志文本分析的内部威胁综合检测方法
内部威胁日益成为现代企业和组织面临的关键问题。它们主要由内部攻击者发起,可能造成灾难性的影响。针对内部威胁检测开展了大量研究。然而,由于恶意样本数量较少,大多数研究都存在局限性。我们提出的 LaAeb 是一种新型的无监督内部威胁检测框架,它利用日志内容中丰富的语言信息,使传统方法(如基于隔离森林的异常检测)除了利用各种特征和统计信息外,还能更好地检测内部威胁。为了发现不同场景下的恶意行为,我们考虑了三种内部威胁模式,包括注意力异常、情绪异常和行为异常。注意力异常检测通过分析日志中操作对象(如电子邮件和网页)的文本内容来检测威胁,其中文本信息反映了员工关注的领域。当员工的注意力严重偏离日常工作时,就可能涉及恶意行为。情绪异常检测分析每两名员工日常交流文本之间的所有对话,通过负面程度发现潜在的心理问题。行为异常检测通过分析日志操作来发现威胁。它利用从注意力和情绪异常中获取的信息作为辅助特征,并将其与从日志操作中提取的特征和统计信息相整合,创建日志嵌入。有了这些日志嵌入,LaAeb 就会采用 Isolation Forest 等异常检测算法来分析员工的恶意操作,并通过考虑同一部门所有员工的行为来进一步检测员工的行为异常。最后,LaAeb 综合了三种表明内部威胁的模式的检测结果。我们实现了 LaAeb 的原型,并在 CERT 和 LANL 数据集上进行了测试。我们的评估结果表明,与最先进的无监督方法相比,LaAeb 在 CERT 数据集上降低了 50%的 FPR,在相同的 AUC(0.93)下达到 0.05,在 LANL 数据集上获得最佳 AUC(0.97),高出 0.06。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Computers & Security
Computers & Security 工程技术-计算机:信息系统
CiteScore
12.40
自引率
7.10%
发文量
365
审稿时长
10.7 months
期刊介绍: Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信