The cyber insider threat is often addressed as a purely cybersecurity challenge, overlooking its inherently multidisciplinary nature. While modern security stacks such as Extended Detection and Response (XDR), User and Entity Behavior Analytics (UEBA), Data Loss Prevention (DLP), and Identity and Access Management (IAM) have evolved to incorporate behavioral analytics, their effectiveness against subtle, evolving, or contextually anomalous behaviors that characterize advanced insider threats remains limited. These threats often require rich context and multi-source correlation for effective detection. To address these limitations, we propose a practical socio-technical framework for real-time hunting of advanced persistent insider threats based on dynamic risk indicators. Our approach reduces reliance on purely rule-based detections by enabling earlier identification of weak signals prior to the materialization of technical attacks. This framework not only reduces detection time but also contextualizes alerts for more effective investigation and response. The framework employs a sliding-window system that combines time- and event-based analyses to dynamically and continuously monitor multi-source activity streams. It generates evolving risk profiles using a suite of advanced machine learning models, including Long Short-Term Memory (LSTM) networks and Natural Language Processing (NLP) models. We validate our framework using the widely adopted Carnegie Mellon University - Computer Emergency Response Team (CMU-CERT) Insider Threat Dataset (version r4.2). Our experiments demonstrate that our approach outperforms prior studies across key performance metrics (f1-score, accuracy, recall).

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Real-Time Insider Threat Hunting Based on Dynamic Risk Indicators

  • N’Famoussa Kounon Nanamou,
  • Neda Baghalizadeh-Moghadam,
  • Thibault Leblanc,
  • Kéren A. Saint-Hilaire,
  • Nora Boulahia-Cuppens,
  • Frédéric Cuppens,
  • Anis Bkakria

摘要

The cyber insider threat is often addressed as a purely cybersecurity challenge, overlooking its inherently multidisciplinary nature. While modern security stacks such as Extended Detection and Response (XDR), User and Entity Behavior Analytics (UEBA), Data Loss Prevention (DLP), and Identity and Access Management (IAM) have evolved to incorporate behavioral analytics, their effectiveness against subtle, evolving, or contextually anomalous behaviors that characterize advanced insider threats remains limited. These threats often require rich context and multi-source correlation for effective detection. To address these limitations, we propose a practical socio-technical framework for real-time hunting of advanced persistent insider threats based on dynamic risk indicators. Our approach reduces reliance on purely rule-based detections by enabling earlier identification of weak signals prior to the materialization of technical attacks. This framework not only reduces detection time but also contextualizes alerts for more effective investigation and response. The framework employs a sliding-window system that combines time- and event-based analyses to dynamically and continuously monitor multi-source activity streams. It generates evolving risk profiles using a suite of advanced machine learning models, including Long Short-Term Memory (LSTM) networks and Natural Language Processing (NLP) models. We validate our framework using the widely adopted Carnegie Mellon University - Computer Emergency Response Team (CMU-CERT) Insider Threat Dataset (version r4.2). Our experiments demonstrate that our approach outperforms prior studies across key performance metrics (f1-score, accuracy, recall).