<p>Insiders threats typically originate from authorized personnel who are familiar with the organization’s insider security measures. They typically hide within vast amounts of normal operational logs, characterized by their covert nature, complexity, and diversity. These attributes make insider threat detection one of the most challenging tasks in cybersecurity protection for enterprises and organizations. Current methods for insider threat detection primarily fall into two categories: traditional machine learning methods and deep learning methods. Machine learning methods typically rely on feature engineering to extract features, which are then processed by shallow models. Deep learning methods typically operate by either feeding user feature vectors into neural networks or by analyzing chronological behavior sequences from user logs with time series models to detect insider threats. However, existing methods frequently ignore the multi-scale periodicity inherent in user behaviors and do not adequately leverage absolute timestamp data from logs. Furthermore, they typically categorize behaviors coarsely as normal or anomalous, which fails to achieve precise identification of distinct insider threat types. To address these limitations, we propose BTITD, a dual-stream network for insider threat detection. BTITD first processes user behavior logs into two parallel sequences: a behavior sequence and a timestamp sequence. The behavior sequence is transformed via Fourier transform, folded into two-dimensional tensors based on key periods, and processed with two-dimensional convolutions to extract multi-scale periodic patterns. Meanwhile, the timestamp sequence is modeled by a BiLSTM network to capture long-range temporal dependencies. Finally, an attention mechanism fuses the representations from both streams to achieve accurate detection. A series of experiments on the CERT 4.2 dataset demonstrate that BTITD outperforms baseline methods in both binary and multi-class detection tasks. BTITD achieves an F1 score of 97.56% for binary detection and a macro-F1 score of 94.66% for multi-class detection.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

BTITD: an insider threat detection method based on behavior-timestamp dual-stream network

  • Chen Zhang,
  • Guang Yang,
  • Tian Tian,
  • Bo Jiang,
  • Zhigang Lu,
  • Tao Guo

摘要

Insiders threats typically originate from authorized personnel who are familiar with the organization’s insider security measures. They typically hide within vast amounts of normal operational logs, characterized by their covert nature, complexity, and diversity. These attributes make insider threat detection one of the most challenging tasks in cybersecurity protection for enterprises and organizations. Current methods for insider threat detection primarily fall into two categories: traditional machine learning methods and deep learning methods. Machine learning methods typically rely on feature engineering to extract features, which are then processed by shallow models. Deep learning methods typically operate by either feeding user feature vectors into neural networks or by analyzing chronological behavior sequences from user logs with time series models to detect insider threats. However, existing methods frequently ignore the multi-scale periodicity inherent in user behaviors and do not adequately leverage absolute timestamp data from logs. Furthermore, they typically categorize behaviors coarsely as normal or anomalous, which fails to achieve precise identification of distinct insider threat types. To address these limitations, we propose BTITD, a dual-stream network for insider threat detection. BTITD first processes user behavior logs into two parallel sequences: a behavior sequence and a timestamp sequence. The behavior sequence is transformed via Fourier transform, folded into two-dimensional tensors based on key periods, and processed with two-dimensional convolutions to extract multi-scale periodic patterns. Meanwhile, the timestamp sequence is modeled by a BiLSTM network to capture long-range temporal dependencies. Finally, an attention mechanism fuses the representations from both streams to achieve accurate detection. A series of experiments on the CERT 4.2 dataset demonstrate that BTITD outperforms baseline methods in both binary and multi-class detection tasks. BTITD achieves an F1 score of 97.56% for binary detection and a macro-F1 score of 94.66% for multi-class detection.