A Hybrid Model Based on Multi-dimensional Features for Insider Threat Detection

Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many people. A number of techniques have been proposed to detect insider threats by comparing behaviors among different individuals or by comparing the behaviors across different time periods of the same individual. However, both of them always fail to identify the certain kinds of inside threats due to the fact that the behaviors of insider threats are complex and diverse. To deal with this issue, this paper focuses on constructing a hybrid model to detect insider threats based on multi-dimensional features. First, an Across-Domain Anomaly Detection (ADAD) model is proposed to identify anomalous behaviors that deviate from the behaviors of their peers based on the isolation Forest algorithm. Second, an Across-Time Anomaly Detection (ATAD) model is proposed to measure the degree of unusual changes of a user's behavior based on an improved Markov model. What's more, we propose a hybrid model to integrate the evidence from the above two models ADAD and ATAD. To evaluate the performance of the proposed models comprehensively, we implement a series of experiments with the 17-month data. The experimental results show that the ADAD and ATAD models are robust and the hybrid model can outperform the two separated models obviously.