Unveiling Shadows: Harnessing Artificial Intelligence for Insider Threat Detection
Received: 15 January 2024 | Revised: 1 February 2024 | Accepted: 4 February 2024 | Online: 16 February 2024
Corresponding author: Erhan Yilmaz
Abstract
Insider threats pose a significant risk to organizations, necessitating robust detection mechanisms to safeguard against potential damage. Traditional methods struggle to detect insider threats operating within authorized access. Therefore, the use of Artificial Intelligence (AI) techniques is essential. This study aimed to provide valuable insights for insider threat research by synthesizing advanced AI methodologies that offer promising avenues to enhance organizational cybersecurity defenses. For this purpose, this paper explores the intersection of AI and insider threat detection by acknowledging organizations' challenges in identifying and preventing malicious activities by insiders. In this context, the limitations of traditional methods are recognized, and AI techniques, including user behavior analytics, Natural Language Processing (NLP), Large Language Models (LLMs), and Graph-based approaches, are investigated as potential solutions to provide more effective detection mechanisms. For this purpose, this paper addresses challenges such as the scarcity of insider threat datasets, privacy concerns, and the evolving nature of employee behavior. This study contributes to the field by investigating the feasibility of AI techniques to detect insider threats and presents feasible approaches to strengthening organizational cybersecurity defenses against them. In addition, the paper outlines future research directions in the field by focusing on the importance of multimodal data analysis, human-centric approaches, privacy-preserving techniques, and explainable AI.
Keywords:
cybersecurity, insider threats, artificial intelligenceDownloads
References
J. R. C. Nurse et al., "Understanding Insider Threat: A Framework for Characterising Attacks," in 2014 IEEE Security and Privacy Workshops, San Jose, CA, USA, May 2014, pp. 214–228.
"Cyber security breaches survey 2023," Department for Science, Innovation & Technology, London, UK. [Online]. Available: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023.
I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici, and M. Ochoa, "Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures," ACM Computing Surveys, vol. 52, no. 2, Dec. 2019.
T. E. Senator et al., "Detecting insider threats in a real corporate database of computer usage activity," in Proceedings of the 19th ACM SIGKDD international conference on Knowledge discovery and data mining, Chicago, IL, USA, May 2013, pp. 1393–1401.
"Defining Insider Threats," CISA, https://www.cisa.gov/topics/physical-security/insider-threat-mitigation/defining-insider-threats.
"2023 Data Breach Investigations Report," Verizon, https://www.verizon.com/business/resources/reports/dbir/.
"2022 Cost of Insider Threats Global Report," Ponemon Institute, North Traverse City, MI, USA, 2022. [Online]. Available: https://www.proofpoint.com/sites/default/files/threat-reports/pfpt-us-tr-the-cost-of-insider-threats-ponemon-report.pdf.
M. Theis et al., "Common Sense Guide to Mitigating Insider Threats, Sixth Edition," Carnegie Mellon University, report, Sep. 2020.
A. Georgiadou, S. Mouzakitis, and D. Askounis, "Detecting Insider Threat via a Cyber-Security Culture Framework," Journal of Computer Information Systems, vol. 62, no. 4, pp. 706–716, Jul. 2022.
V. Chandola, A. Banerjee, and V. Kumar, "Anomaly detection: A survey," ACM Computing Surveys, vol. 41, no. 3, Apr. 2009.
M. H. H. Khairi, S. H. S. Ariffin, N. M. A. Latiff, A. S. Abdullah, and M. K. Hassan, "A Review of Anomaly Detection Techniques and Distributed Denial of Service (DDoS) on Software Defined Network (SDN)," Engineering, Technology & Applied Science Research, vol. 8, no. 2, pp. 2724–2730, Apr. 2018.
S. Omar, A. Ngadi, and H. H. Jebur, "Machine Learning Techniques for Anomaly Detection: An Overview," International Journal of Computer Applications, vol. 79, no. 2, pp. 33–41, Oct. 2013.
T. Akutota and S. Choudhury, "Big Data Security Challenges: An Overview and Application of User Behavior Analytics," International Research Journal of Engineering and Technology, vol. 4, no. 10, pp. 1544–1548, Oct. 2017.
X. Wang, Q. Tan, J. Shi, S. Su, and M. Wang, "Insider Threat Detection Using Characterizing User Behavior," in 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), Guangzhou, China, Jun. 2018, pp. 476–482.
N. Garba, S. Rakshit, C. D. Mang, and N. R. Vajjhala, "An email content-based insider threat detection model using anomaly detection algorithms," in Proceedings of the International Conference on Innovative Computing & Communication (ICICC) 2021, Apr. 2021.
W. X. Zhao et al., "A Survey of Large Language Models." arXiv, Nov. 24, 2023.
M. A. Ferrag et al., "Revolutionizing Cyber Threat Detection with Large Language Models: A privacy-preserving BERT-based Lightweight Model for IoT/IIoT Devices." arXiv, Feb. 08, 2024.
R. Nasir, M. Afzal, R. Latif, and W. Iqbal, "Behavioral Based Insider Threat Detection Using Deep Learning," IEEE Access, vol. 9, pp. 143266–143274, 2021.
Pratibha, J. Wang, S. Aggarwal, F. Ji, and W. P. Tay, "Learning Correlation Graph and Anomalous Employee Behavior for Insider Threat Detection," in 2018 21st International Conference on Information Fusion (FUSION), Cambridge, UK, Jul. 2018, pp. 1–7.
B. Sharma, P. Pokharel, and B. Joshi, "User Behavior Analytics for Anomaly Detection Using LSTM Autoencoder - Insider Threat Detection," in Proceedings of the 11th International Conference on Advances in Information Technology, Bangkok, Thailand, Jul. 2020, pp. 1–9.
X. Xi et al., "An Ensemble Approach for Detecting Anomalous User Behaviors," International Journal of Software Engineering and Knowledge Engineering, vol. 28, no. 11–12, pp. 1637–1656, Nov. 2018.
I. I. M. Abu Sulayman and A. Ouda, "User Modeling via Anomaly Detection Techniques for User Authentication," in 2019 IEEE 10th Annual Information Technology, Electronics and Mobile Communication Conference (IEMCON), Vancouver, BC, Canada, Oct. 2019, pp. 0169–0176.
T. Kanan, S. Hendawi, S. AlZu’bi, M. Elbes, and A. Mughaid, "Revolutionizing Cyberbullying Prevention: A Cutting-Edge Natural Language Processing-Based Approach," in 2023 International Conference on Information Technology (ICIT), Amman, Jordan, Aug. 2023, pp. 220–225.
T. Kwon and C. Kim, "Efficacy of Utilizing Large Language Models to Detect Public Threat Posted Online." arXiv, Dec. 29, 2023.
A. Zaboli, S. L. Choi, T. J. Song, and J. Hong, "ChatGPT and other Large Language Models for Cybersecurity of Smart Grid Applications." arXiv, Nov. 09, 2023.
J. Xiao, L. Yang, F. Zhong, X. Wang, H. Chen, and D. Li, "Robust Anomaly-Based Insider Threat Detection Using Graph Neural Network," IEEE Transactions on Network and Service Management, vol. 20, no. 3, pp. 3717–3733, Nov. 2022.
A. Gamachchi, L. Sun, and S. Boztas, "A Graph Based Framework for Malicious Insider Threat Detection." arXiv, Sep. 01, 2018.
W. Eberle, J. Graves, and L. Holder, "Insider Threat Detection Using a Graph-Based Approach," Journal of Applied Security Research, vol. 6, no. 1, pp. 32–81, Dec. 2010.
M. N. Al-Mhiqani et al., "A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations," Applied Sciences, vol. 10, no. 15, Jan. 2020, Art. no. 5208.
F. L. Greitzer, "Insider Threats: It’s the HUMAN, Stupid!," in Proceedings of the Northwest Cybersecurity Symposium, Richland, WA, USA, Dec. 2019.
M. Raissi-Dehkordi and D. Carr, "A multi-perspective approach to insider threat detection," in 2011 - MILCOM 2011 Military Communications Conference, Baltimore, MD, USA, Nov. 2011, pp. 1164–1169.
N. Saxena, E. Hayes, E. Bertino, P. Ojo, K. K. R. Choo, and P. Burnap, "Impact and Key Challenges of Insider Threats on Organizations and Critical Businesses," Electronics, vol. 9, no. 9, Sep. 2020, Art. no. 1460.
I. A. Gheyas and A. E. Abdallah, "Detection and prediction of insider threats to cyber security: a systematic literature review and meta-analysis," Big Data Analytics, vol. 1, no. 1, Aug. 2016, Art. no. 6.
N. Papernot and P. McDaniel, "Deep k-Nearest Neighbors: Towards Confident, Interpretable and Robust Deep Learning." arXiv, Mar. 13, 2018.
S. S. Taher, S. Y. Ameen, and J. A. Ahmed, "Advanced Fraud Detection in Blockchain Transactions: An Ensemble Learning and Explainable AI Approach," Engineering, Technology & Applied Science Research, vol. 14, no. 1, pp. 12822–12830, Feb. 2024.
T. Baltrušaitis, C. Ahuja, and L. P. Morency, "Multimodal Machine Learning: A Survey and Taxonomy," IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 41, no. 2, pp. 423–443, Jan. 2018.
M. Abadi et al., "Deep Learning with Differential Privacy," in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, Oct. 2016, pp. 308–318.
P. Geetha, C. Naikodi, and L. Suresh, "Optimized Deep Learning for Enhanced Trade-off in Differentially Private Learning," Engineering, Technology & Applied Science Research, vol. 11, no. 1, pp. 6745–6751, Feb. 2021.
M. R. Endsley, "From Here to Autonomy: Lessons Learned From Human–Automation Research," Human Factors, vol. 59, no. 1, pp. 5–27, Feb. 2017.
Downloads
How to Cite
License
Copyright (c) 2024 Erhan Yilmaz, Ozgu Can
This work is licensed under a Creative Commons Attribution 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain the copyright and grant the journal the right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) after its publication in ETASR with an acknowledgement of its initial publication in this journal.
