GMFITD: Graph Meta-Learning for Effective Few-Shot Insider Threat Detection

Insider threats represent a significant challenge in both corporate and governmental sectors. Most existing supervised learning based detection methods that rely on transforming user behavior into sequential data do not fully utilize structural information and require extensive labeled data. This reliance poses a challenge due to the scarcity of labeled data in real-world scenarios, leading to a few-shot learning situation. To address these limitations, we propose a novel Graph modularized-based Meta-learning Framework for Insider Threat Detection, named GMFITD. Specifically, GMFITD utilizes a structural reconstruction mechanism that combines a graph-based autoencoder with an attention mechanism to explore structural information and infer potential relationships between users. Additionally, we employ a graph prototype construction method coupling episodic meta-learning principle (MAML) to compute representative embeddings for few-shot learning scenarios. By leveraging MAML, the proposed method can capture prior knowledge of insider threat classification by training on similar few-shot learning tasks with few labeled samples. We further enhance the resilience of GMFITD to adversarial attacks through an edge importance estimation mechanism, which assigns higher weights to relevant edges. Extensive experiments demonstrate that our proposed GMFITD outperforms state-of-the-art methods in insider threat detection, achieving higher accuracy with fewer labeled samples and resisting adversarial attacks.