Anomaly-Based Insider Threat Detection via Hierarchical Information Fusion

Insider threats can cause serious damage to organizations and insider threat detection has received increasing attention from research and industries in recent years. Anomaly-based methods are one of the important approaches for insider threat detection. Existing anomaly-based methods usually detect anomalies in either the entire sample space or the individual user space. However, we argue that whether the behavior is anomalous depends on the corresponding contextual information and the context scope can have more granularities. Overall normal behavior may be anomalous within a specific department, while normal behavior within a department may be anomalous for a specific person. To this end, in this paper, we propose a novel insider threat detection method that explicitly models anomalies with hierarchical context scopes (i.e., organization, department, and person) and fuses them to compute anomaly scores. Comparisons with the unsupervised state-of-the-art approaches on the CMU CERT dataset demonstrate the effectiveness of the proposed method. Our method won the first prize in the CCF-BDCI competition.