Insider threats typically come from authorized personnel familiar with the organization’s internal security measures. The inherent complexity and stealth characteristics of these threats make their detection a significant challenge in cybersecurity research. Current insider threat detection methods often neglect the interactive relationships between entities (such as users, PCs, files), while also failing to fully utilize heterogeneous information, leading to limited detection performance. To address these limitations, we propose SlotITD, a novel insider threat detection method using slot-based heterogeneous graph neural network. The method constructs an access relationship heterogeneous graph by extracting entity interaction patterns across multi-source user behavior logs. To prevent the semantic interference that arises when heterogeneous nodes pass messages in a shared feature space, we perform message passing separately in slots, with each slot representing the specific feature space for each type of node. We adopt a dual-level message aggregation strategy, including intra-slot aggregation and inter-slot aggregation, to ultimately obtain enhanced node representations that integrate both homogeneous and heterogeneous information, thereby achieving insider threat detection. Our extensive experiments on the CERT 4.2 insider threat dataset demonstrate that the proposed SlotITD can effectively capture critical behavioral patterns from inter-node access relationships, consequently significantly improving insider threat detection performance with an F1 score of 97.46%.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

SlotITD: Insider Threat Detection Method Using Slot-Based Heterogeneous Graph Neural Network

  • Chen Zhang,
  • Yinhao Qi,
  • Yan Zhu,
  • Bo Jiang,
  • Zhigang Lu,
  • Tao Guo

摘要

Insider threats typically come from authorized personnel familiar with the organization’s internal security measures. The inherent complexity and stealth characteristics of these threats make their detection a significant challenge in cybersecurity research. Current insider threat detection methods often neglect the interactive relationships between entities (such as users, PCs, files), while also failing to fully utilize heterogeneous information, leading to limited detection performance. To address these limitations, we propose SlotITD, a novel insider threat detection method using slot-based heterogeneous graph neural network. The method constructs an access relationship heterogeneous graph by extracting entity interaction patterns across multi-source user behavior logs. To prevent the semantic interference that arises when heterogeneous nodes pass messages in a shared feature space, we perform message passing separately in slots, with each slot representing the specific feature space for each type of node. We adopt a dual-level message aggregation strategy, including intra-slot aggregation and inter-slot aggregation, to ultimately obtain enhanced node representations that integrate both homogeneous and heterogeneous information, thereby achieving insider threat detection. Our extensive experiments on the CERT 4.2 insider threat dataset demonstrate that the proposed SlotITD can effectively capture critical behavioral patterns from inter-node access relationships, consequently significantly improving insider threat detection performance with an F1 score of 97.46%.