Insider Threat Detection Model Using Anomaly-Based Isolation Forest Algorithm

Taher Al-Shehari; Muna Al-Razgan; Taha Alfakih; Rakan A. Alsowail; Saravanan Pandiaraj

doi:10.1109/ACCESS.2023.3326750

IEEE Access (Jan 2023)

Insider Threat Detection Model Using Anomaly-Based Isolation Forest Algorithm

Taher Al-Shehari,
Muna Al-Razgan,
Taha Alfakih,
Rakan A. Alsowail,
Saravanan Pandiaraj

Affiliations

Taher Al-Shehari: ORCiD; Computer Skills, Department of Self-Development Skills, Common First Year Deanship, King Saud University, Riyadh, Saudi Arabia
Muna Al-Razgan: ORCiD; Department of Software Engineering, College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia
Taha Alfakih: ORCiD; Department of Information Systems, College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia
Rakan A. Alsowail: Computer Skills, Department of Self-Development Skills, Common First Year Deanship, King Saud University, Riyadh, Saudi Arabia
Saravanan Pandiaraj: Computer Skills, Department of Self-Development Skills, Common First Year Deanship, King Saud University, Riyadh, Saudi Arabia

DOI: https://doi.org/10.1109/ACCESS.2023.3326750
Journal volume & issue: Vol. 11
pp. 118170 – 118185

Abstract

Read online

Insider attacks may inflict far greater damage to an organization than outsider threats since insiders are authorized users who are acquainted with the business’s system, making detection harder. Many techniques to detecting insider threats have been developed, but they are neither flexible nor resilient owing to different obstacles (e.g., lack of real-world dataset and highly skewed class distribution of the available dataset), making insider threat detection an understudied research field. Previous techniques attempted to solve the dataset’s imbalance issue by increasing or lowering the observations of the dataset’s classes, however this might lead to underfitting and overfitting problems. We present an insider threat detection model that addresses the class imbalance problem at the algorithm level using anomaly-based techniques, as an enhancement over previous approaches. To limit the effect of skewed class distribution on insider threat detection, the Isolation Forest (IF) technique is used. The model is verified using the benchmarked CERT’s insider threat dataset, which is significantly unbalanced, with a small number of malicious cases vs a large number of non-malicious instances. Several contamination ratios of IF’s parameters are used to verify the model’s performance throughout a range of anomaly scores. The experimental findings reveal that the suggested model handles the dataset class imbalance problem with an accuracy score of 98%. The findings are compared to the baseline technique to demonstrate how the proposed model enhances detection performance and addresses the problem of data imbalance. The findings indicate the usefulness of the suggested approach for identifying insider threats when compared to previous studies.

Published in IEEE Access

ISSN: 2169-3536 (Online)
Publisher: IEEE
Country of publisher: United States
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering
Website: https://ieeexplore.ieee.org/xpl/RecentIssue.jsp?punumber=6287639

About the journal

Abstract

Keywords