Unsupervised Graph Learning For Insider Threat Detection
摘要
We propose an automatic graph learning framework that models rich event dependencies from audit data, facilitating the detection of complex multi-event insider threats. Our method first relies on treating audit log entries as nodes in graphs with no edges initially. Each node is represented by an initial representation capturing daily user behaviours. This is achieved through a deep-sequential neural network architecture that results from a prior contribution. Then, we suggest a custom edge predictor that identifies long-term dependencies. The resulting graph is then used to identify abnormal nodes indicating malicious events. The proposed method does not require any label information from the audit data, classifying it as an unsupervised learning approach. Additionally, it does not require extensive audit log preprocessing, such as manual extraction of domain-knowledge-rich features or data balancing. Therefore, the suggested method is easy to implement and can be used across organizations regardless of their level of expertise. By providing a node-based scoring system, the resulting graph also functions as a diagnostic tool to help security experts understand detected threats. On the CERT benchmark dataset version 6.2, our approach outperforms previous state-of-the-art approaches, achieving an area under the ROC curve of 97.17%.