Learning Correlation Graph and Anomalous Employee Behavior for Insider Threat Detection

Insider attacks can result in significant costs to an organization. There is an urgent need for an automatic insider threat detector with good accuracy and low false alarms. In this work, we propose a graph based insider threat detector to identify potential insider attackers based on identifying not only self-anomalous behaviors of an employee but also anomalies relative to other employees with similar job roles. A machine learning approach is developed to first infer the correlation graph among the organization's employees. Then, a graph signal processing method is designed to identify the potential insiders with detection and false positive rates better than performing detection independently on each employee. Our approach demonstrates that the correlated behaviors of an organization's employees should be exploited for a better detection of suspicious behaviors.