Graph Intelligence Enhanced Bi-Channel Insider Threat Detection

For an organization, insider intrusion generally poses far more detrimental threats than outsider intrusion. Traditionally, insider threat is detected by analyzing logged user behaviours and then establishing a binary classifier to distinguish malicious ones. However, most approaches consider user behaviour in an isolated manner, inevitably missing the background information from organizational connections such as a shared supervisor or e-mail interactions. Consequently, the performance of those existing works still has the potential to be enhanced. In this paper, we propose a bi-channel insider threat detection (B-CITD) framework enhanced by graph intelligence to improve the overall performance of existing methods. Firstly, We extract behavioural features from a series of log files as the inner-user channel features. Secondly, we construct an organizational connection graph and extract topological features through a graph neural networks (GNN) model as the inter-user channel features. In the end, the features from inner-user and inter-user channels are combined together to perform an insider threat detection task through a binary classification model. Experimental results on an open-sourced CERT 4.2 dataset show that B-CITD can enhance the performance of insider threat detection by a large margin, compared with using features only from inner-user or inter-user channels. We published our code on GitHub: https://github.com/Wayne-on-the- road/B-CITD.