An insider threat detection method based on improved Test-Time Training model

Abstract

As network and information systems become widely adopted across industries, cybersecurity concerns have grown more prominent. Among these concerns, insider threats are considered particularly covert and destructive. Insider threats refer to malicious insiders exploiting privileged access to networks, systems, and data to intentionally compromise organizational security. Detecting these threats is challenging due to the complexity and variability of user behavior data, combined with the subtle and covert nature of insider actions. Traditional detection methods often fail to capture both long-term dependencies and short-term fluctuations in time-series data, which are crucial for identifying anomalous behaviors. To address these issues, this paper introduces the Test-Time Training (TTT) model for the first time in the field of insider threat detection, and proposes a detection method based on the TTT-ECA-ResNet model. First, the dataset is preprocessed. TTT is applied to extract long-term dependencies in features, effectively capturing dynamic sequence changes. The Residual Network, incorporating the Efficient Channel Attention mechanism, is used to extract local feature patterns, capturing relationships between different positions in time-series data. Finally, a Linear layer is employed for more precise detection of insider threats. The proposed approaches were evaluated using the CMU CERT Insider Threat Dataset, achieving an AUC of 98.75% and an F1-score of 96.81%. The experimental results demonstrate the effectiveness of the proposed methods, outperforming other state-of-the-art approaches.