Insider Threat Detection System Using Machine Learning

Abstract: Insider threats are one of the major challenges in securing an organizational network since the insider possesses proper access authority, making it hard to trace their malicious activities using traditional security measures. Currently, most insider threat detection systems are based on supervised learning methodologies, which demand a lot of labeled data, most of which tends to be imbalanced. To tackle these problems, this research work will employ a hybrid insider threat detection model that combines Isolation Forest with temporal behavior profiling and with random forest algorithm for classification. The proposed solution is based on simulating normal user activity and identifying irregularities, which could be associated with insider attacks. As opposed to conventional solutions, which rely solely on static variables, this solution uses temporal behavioral variables, including access rate, session time, abnormal system activity during offline sessions, and sudden changes in user activity patterns. The Isolation Forest algorithm is leveraged to identify abnormal activity at the algorithmic level without relying on resampling, thus mitigating overfitting issues and distorting the data. In this paper, the proposed approach has been tested using the CERT insider threat dataset, known to be an extreme class imbalance. Results show that the hybrid approach of the model, which combines the benefits of temporal profiling with the strengths of anomaly-based approaches, greatly increases the accuracy level while at the same time ensuring low false positives. This indicates that the model can be said to be quite robust.

Keywords: Insider threat detection, anomaly detection, Isolation Forest, Random forest, behavioral analysis, temporal profiling, imbalanced dataset, framework.