A Multi-Perspective Approach to Insider Threat Detection

Insider Threat has become one of the most important types of attacks to identify and combat for both government and commercial organizations in recent years. The irreversible financial and security damages that can result from this type of threat have placed Insider Threat among the most important problems in cybersecurity [1]. The complexity of the problem is mainly due to the fact that the attacker is a legitimate user of the system, which makes it very difficult to draw a clear line between legitimate and malicious actions. This paper presents a multi-perspective approach for detection of insider threats in typical enterprise networks. In this approach, multiple detection engines monitor network activities from different perspectives and use the aggregate information to adjust their detection sensitivities. Experimental results from our studies show that this approach results in reduced false alarm probability as well as an increased ability to detect attacks by colluding insiders.