Unsupervised Learning for Insider Threat Prediction: A Behavioral Analysis Approach

Most of the devastating cyber-attacks are caused by insiders with access privileges inside an organization. The main reason of insider attacks being more effective is that they don't have many security barriers before they get into the critical resources of the system. Different machine learning techniques have been previously utilized to identify insider threats within cy-bersecurity domain whereas research done in predicting insider attacks is not significant. Moreover, machine learning models used for prediction and detection face a critical limitation as they require training on labeled datasets, rendering them less effective for real-time data streams which lack threat presence indicators. This work presents an unsupervised machine learning approach that predicts insider threat using behavior analysis for real-time threat data. Patterns are identified in user behavior, to make predictions about benign and malicious insiders. Features are selected by analyzing activities performed. Selected features are utilized to feed machine learning model which extracts anomalous behavior among users, using anomalies in their activity patterns followed by learning methods for threat detection. A dataset that contains selected features from CERT r4.2 is used to make predictions. The performance of Isolation Forest (iForest) is compared with other algorithms of the same category including One-class SVM, Local Outlier Factor (LOF) and DBSCAN to evaluate the new approach. The iForest shows the best performance accuracy 80 percent and recall 84.2 percent.