SlotITD: Insider Threat Detection Method Using Slot-Based Heterogeneous Graph Neural Network
摘要
Insider threats typically come from authorized personnel familiar with the organization’s internal security measures. The inherent complexity and stealth characteristics of these threats make their detection a significant challenge in cybersecurity research. Current insider threat detection methods often neglect the interactive relationships between entities (such as users, PCs, files), while also failing to fully utilize heterogeneous information, leading to limited detection performance. To address these limitations, we propose SlotITD, a novel insider threat detection method using slot-based heterogeneous graph neural network. The method constructs an access relationship heterogeneous graph by extracting entity interaction patterns across multi-source user behavior logs. To prevent the semantic interference that arises when heterogeneous nodes pass messages in a shared feature space, we perform message passing separately in slots, with each slot representing the specific feature space for each type of node. We adopt a dual-level message aggregation strategy, including intra-slot aggregation and inter-slot aggregation, to ultimately obtain enhanced node representations that integrate both homogeneous and heterogeneous information, thereby achieving insider threat detection. Our extensive experiments on the CERT 4.2 insider threat dataset demonstrate that the proposed SlotITD can effectively capture critical behavioral patterns from inter-node access relationships, consequently significantly improving insider threat detection performance with an F1 score of 97.46%.