Design of an Ensemble Learning Behavior Anomaly Detection Framework

Data assets protection is a crucial issue in the
cybersecurity field. Companies use logical access control tools to
vault their information assets and protect them against external
threats, but they lack solutions to counter insider threats. Nowadays,
insider threats are the most significant concern of security analysts.
They are mainly individuals with legitimate access to companies
information systems, which use their rights with malicious intents.
In several fields, behavior anomaly detection is the method used by
cyber specialists to counter the threats of user malicious activities
effectively. In this paper, we present the step toward the construction
of a user and entity behavior analysis framework by proposing a
behavior anomaly detection model. This model combines machine
learning classification techniques and graph-based methods, relying
on linear algebra and parallel computing techniques. We show the
utility of an ensemble learning approach in this context. We present
some detection methods tests results on an representative access
control dataset. The use of some explored classifiers gives results
up to 99% of accuracy.




References:
1] IBM-Security, IBM 2015 Cybersecurity Intelligence Index,
Managed Security services, https://securityintelligence.com/media/
cyber-security-intelligence-index-2015/, 2016.
[2] P. Bradford and J. Lui, Applying role based access control and genetic
algorithm to insider threat detection, 44th annual Southeast regional
conference, pp 1–7, 2016.
[3] J. Peng, K. R. Choo and H. Ashman, User profiling in intrusion detection:
A Review, Journal of Network and Computer Applications, vol. 72, pp
14–27, 2016.
[4] A. L. Buczak and E. Guven, A Survey of Data Mining and Machine
Learning Methods for Cyber Security Intrusion Detection Systems, IEEE
Communications surveys and Tutorials, vol. 18, no. 2, pp 1153–1178,
2016.
[5] P. Pallabi, N. Mcdaniel and Z. R. Weger, Evolving Insider Threat
Detection Stream mining Perspective, International Journal on Artificial
Intelligence Tools vol. 22, no. 5, 2013.
[6] P. Pallabi, Z. R. Weger, et al., Supervised Learning for Insider Threat
Detection Using Stream mining, 23rd International Conference on Tools
with Artificial Intelligence, 2011.
[7] D. Haidar, and M. M. Gaber, Adaptive One-Class Ensemble-based
Anomaly Detection: An Application to Insider Threats, Internationnal
Joint conference on Neural Networks(IJCNN), 2018. [8] A. Gamachchi, L. Sun, and S. Boztas, A graph based framework for
malicious insider threat detection, Hawai International conference on
system sciences, (HICSS), 2017.
[9] Y. Chen, S. Nyemba, W. Zhang, and B. Malin, Specializing network
analysis to detect anomalous insider actions, Security Informatics, vol. 1,
no. 1, pp 5, 2012.
[10] I. Sun, S. Versteeg, S. Boztas, and A. Rao, Detecting Anomalous User
Behavior Using an Extended Isolation Forest Algorithm: An Enterprise
Case Study, In Computer Research Repository(CoRR), 2016.
[11] P. Moriano, J. Pendleton, S. Rich, and L. Jean Camp, Stopping the
Insider at the Gates: Protecting Organizational Assets through Graph
Mining, Journal of Wireless Mobile Networks, Ubiquitous Computing,
and Dependable Applications, vol. 9, pp 4–29, 2018.
[12] Ponemon, 2018 Coast of Insider Threat Global organizations,
Ponemon Insitute Research report, https://www.observeit.com/
ponemon-report-cost-of-insider-threats/. Last accessed 4, 2018.
[13] A. Chuvakin and A. Barros, A Comparison of UEBA Technologies and
Solution, Gartner Technical Professional Advice, pp 1–45, https://www.
gartner.com/doc/3645381/comparison-ueba-technologies-solutions, 2017.
[14] S. Gopalakrishnan, Data Science & Machine Learning in Cybersecurity,
In: AT&T Business, vol. 3, pp 1–15, 2017.
[15] V. Kumar, P-N. Tan, M. Steinbach and A. Karpatne, Introduction to data
mining 2nd edition, https://www-users.cs.umn.edu/∼kumar001/dmbook/
index.php, 2018.
[16] S. Hung, Introduction to collaborative filtering Part1, in hackernoon.com,
hackernoon.com, 2018.
[17] J. M. Kleinberg, Authoritative Sources in a Hyperlinked Environment,
Journal of the ACM”, vol. 46, pp 604–632, 1999.
[18] L. Page and S. Brin, Anatomy of a Large-Scale Hypertextual Web Search
Engine, Proceedings of the seventh international conference on World
Wide Web(WWW) 7”, vol. 46, pp 107–117, 1999.
[19] A. Ravanshad, Gradient boosting versus
random forest, https://medium.com/@aravanshad/
gradient-boosting-versus-random-forest-cfa3fa8f0d80, 2018.
[20] A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols and S. Robinson,
Deep learning for unsupervised insider threat detection in structured
cybersecurity data streams, AAAI Conference on Artificial Intelligence,
2017.
[21] F. Yuan, Y. Cao, Y. Shang, Y. Liu, J. Tan and B. Fang, Insider
Threat Detection with Deep Neural Network. International conference
on Computationnal Science (1), pp 43–54, 2018.
[22] E. Lewinson, Outlier Detection with
Isolation Forest, https://towardsdatascience.com/
outlier-detection-with-isolation-forest-3d190448d45e, 2018.
[23] L. Akoglu, M. McGlohon, and C. Faloutsos, Oddball, Spotting
anomalies in weighted graphs, Pacific-Asia Conference on Knowledge
Discovery and Data Mining (PAKDD), vol. 46, pp 1–12, 2010.
[24] P. P. Talukar and K. Cramer, New Regularized Algorithms for
Transductive Learning, Proceedings of the European Conference on
Machine Learning and Knowledge Discovery in Databases, Part II, vol.
5782, pp 442–457, 2009.
[25] W. Eberle, and L. Holder, Insider Threats Detection Using Graph-Base
approaches, Cyber security Application & technologies Conference for
homeland security, vol. 5782, pp 1–5, 2009.