Hongle Liu, Ming Liu, Lansheng Han, Haili Sun, Cai Fu
{"title":"Ripple2Detect: A semantic similarity learning based framework for insider threat multi-step evidence detection","authors":"Hongle Liu, Ming Liu, Lansheng Han, Haili Sun, Cai Fu","doi":"10.1016/j.cose.2025.104387","DOIUrl":null,"url":null,"abstract":"<div><div>Insider threat attacks occur when individuals misuse their access to an organization’s systems, data, or networks. These attacks, including Advanced Persistent Threats (APT), Pivoting, and Lateral Movement, often involve prolonged timelines and similar sensitive actions. Given the complexity of these attacks, current internal threat detection methods have their shortcomings.</div><div>Firstly, internal threat attacks typically involve multiple sequences of malicious operations, making it challenging to capture the entire attack process using a single model. Secondly, current research often overlooks the interconnections between user behavior sequences, failing to differentiate between malicious intentions, actions, and outcomes. This neglect may lead to forensic inaccuracies and the misattribution of benign activities as attacks, potentially causing erroneous responses. Furthermore, existing internal threat detection methods fail to mine relevant attack evidence from known sensitive behaviors to thoroughly analyze the attack mechanisms.</div><div>To address these challenges, we propose Ripple2Detect, a multi-step evidence detection framework for insider threat detection. First, Ripple2Detect builds an evidence sequence library by decomposing known attack behaviors into sequences and constructing a knowledge graph to measure their correlations. Next, we train a semantic similarity model based on the BERT architecture, tailored for operation sequences, to improve the detection of attack evidence. To overcome data imbalance, we introduce a contrastive learning loss to better distinguish between attack and non-attack behaviors. Finally, a preference propagation mechanism is used to predict attack behaviors within the knowledge graph.</div><div>We conduct experiments on Cert-r4.2 and Cert-r5.2 benchmark datasets, comparing our model with state-of-the-art approaches. The results suggest that our model can identify malicious sequences with 0.96 F1 score and achieve an attack identification F1 score of up to 0.99. The source code can be obtained from <span><span>https://github.com/L3LeTrigger-F/Ripple2Detect_code</span><svg><path></path></svg></span></div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104387"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825000768","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Insider threat attacks occur when individuals misuse their access to an organization’s systems, data, or networks. These attacks, including Advanced Persistent Threats (APT), Pivoting, and Lateral Movement, often involve prolonged timelines and similar sensitive actions. Given the complexity of these attacks, current internal threat detection methods have their shortcomings.
Firstly, internal threat attacks typically involve multiple sequences of malicious operations, making it challenging to capture the entire attack process using a single model. Secondly, current research often overlooks the interconnections between user behavior sequences, failing to differentiate between malicious intentions, actions, and outcomes. This neglect may lead to forensic inaccuracies and the misattribution of benign activities as attacks, potentially causing erroneous responses. Furthermore, existing internal threat detection methods fail to mine relevant attack evidence from known sensitive behaviors to thoroughly analyze the attack mechanisms.
To address these challenges, we propose Ripple2Detect, a multi-step evidence detection framework for insider threat detection. First, Ripple2Detect builds an evidence sequence library by decomposing known attack behaviors into sequences and constructing a knowledge graph to measure their correlations. Next, we train a semantic similarity model based on the BERT architecture, tailored for operation sequences, to improve the detection of attack evidence. To overcome data imbalance, we introduce a contrastive learning loss to better distinguish between attack and non-attack behaviors. Finally, a preference propagation mechanism is used to predict attack behaviors within the knowledge graph.
We conduct experiments on Cert-r4.2 and Cert-r5.2 benchmark datasets, comparing our model with state-of-the-art approaches. The results suggest that our model can identify malicious sequences with 0.96 F1 score and achieve an attack identification F1 score of up to 0.99. The source code can be obtained from https://github.com/L3LeTrigger-F/Ripple2Detect_code
期刊介绍:
Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world.
Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.