Xiaoling Tao , Jianxiang Liu , Yuelin Yu , Haijing Zhang , Ying Huang
{"title":"An insider threat detection method based on improved Test-Time Training model","authors":"Xiaoling Tao , Jianxiang Liu , Yuelin Yu , Haijing Zhang , Ying Huang","doi":"10.1016/j.hcc.2024.100283","DOIUrl":null,"url":null,"abstract":"<div><div>As network and information systems become widely adopted across industries, cybersecurity concerns have grown more prominent. Among these concerns, insider threats are considered particularly covert and destructive. Insider threats refer to malicious insiders exploiting privileged access to networks, systems, and data to intentionally compromise organizational security. Detecting these threats is challenging due to the complexity and variability of user behavior data, combined with the subtle and covert nature of insider actions. Traditional detection methods often fail to capture both long-term dependencies and short-term fluctuations in time-series data, which are crucial for identifying anomalous behaviors. To address these issues, this paper introduces the Test-Time Training (TTT) model for the first time in the field of insider threat detection, and proposes a detection method based on the TTT-ECA-ResNet model. First, the dataset is preprocessed. TTT is applied to extract long-term dependencies in features, effectively capturing dynamic sequence changes. The Residual Network, incorporating the Efficient Channel Attention mechanism, is used to extract local feature patterns, capturing relationships between different positions in time-series data. Finally, a Linear layer is employed for more precise detection of insider threats. The proposed approaches were evaluated using the CMU CERT Insider Threat Dataset, achieving an AUC of 98.75% and an F1-score of 96.81%. The experimental results demonstrate the effectiveness of the proposed methods, outperforming other state-of-the-art approaches.</div></div>","PeriodicalId":100605,"journal":{"name":"High-Confidence Computing","volume":"5 1","pages":"Article 100283"},"PeriodicalIF":3.2000,"publicationDate":"2025-01-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"High-Confidence Computing","FirstCategoryId":"1085","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2667295224000862","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
As network and information systems become widely adopted across industries, cybersecurity concerns have grown more prominent. Among these concerns, insider threats are considered particularly covert and destructive. Insider threats refer to malicious insiders exploiting privileged access to networks, systems, and data to intentionally compromise organizational security. Detecting these threats is challenging due to the complexity and variability of user behavior data, combined with the subtle and covert nature of insider actions. Traditional detection methods often fail to capture both long-term dependencies and short-term fluctuations in time-series data, which are crucial for identifying anomalous behaviors. To address these issues, this paper introduces the Test-Time Training (TTT) model for the first time in the field of insider threat detection, and proposes a detection method based on the TTT-ECA-ResNet model. First, the dataset is preprocessed. TTT is applied to extract long-term dependencies in features, effectively capturing dynamic sequence changes. The Residual Network, incorporating the Efficient Channel Attention mechanism, is used to extract local feature patterns, capturing relationships between different positions in time-series data. Finally, a Linear layer is employed for more precise detection of insider threats. The proposed approaches were evaluated using the CMU CERT Insider Threat Dataset, achieving an AUC of 98.75% and an F1-score of 96.81%. The experimental results demonstrate the effectiveness of the proposed methods, outperforming other state-of-the-art approaches.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
