Hierarchical Classification Using Ensemble of Feed-Forward Networks for Insider Threat Detection from Activity Logs

Abstract

Insider threat is a significant cybersecurity concern that poses challenges in detection due to its infrequent occurrence and diverse data types. Recent Machine and Deep Learning-based approaches to insider threat detection mostly focus on using sophisticated feature extraction models. However, an ensemble of relatively simpler neural network models is also known to be an effective classifier and there has not been much work on insider threat detection with supervised ensemble models, which we aim to study in this work. The proposed approach follows a two-stage hierarchical process in which the first stage involves training multiple Deep Feed Forward Neural Network models on different subsets of data to identify whether a time-series of user activity is either malicious or non-malicious. The second stage involves identifying the threat scenario if the time series activity is classified as malicious in the first stage. The individual learners in the ensemble are trained with a balanced dataset formed by random undersampling of the majority class instances without replacement to prevent biasedness towards any particular class during the prediction. Further, no two learners are trained using the same dataset which helps in learning accurate decision boundaries between the target classes. Experiments on the CMU CERT insider threat data (version 4.2) verify the effectiveness of our approach in identifying the different insider threat categories. © 2023 IEEE.