As organizations navigate the complexities of the digital era, they face a growing and particularly insidious threat: internal cyber-attacks. These insider threats, whether intentional or unintentional, present unique cybersecurity challenges. This paper introduces a novel approach to real-time anomaly detection for insider threat hunting, leveraging sliding windows to analyze event streams at the finest granularity, event by event. Our methodology employs a range of unsupervised learning algorithms, including conventional machine learning methods, graph neural networks (GNN), and natural language processing (NLP) techniques, to identify anomalies without prior knowledge of potential attacks. Using sliding windows, we ensure continuous and contextual analysis, enabling real-time processing and detection. This approach is evaluated using the CERT insider threat dataset, renowned for its richness and believability, which simulates the activities of a large organization over an extended period, offers between 0.95 and 1 in usual ML metrics, and a true real-time process. By unifying these techniques under a shared framework, our solution aims to provide a robust and practical approach for the real-time detection of anomalies involved in insider threat activities, thereby enabling organizations to protect their critical assets from potential damage by malicious or negligent insiders.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Real-Time Anomaly Detection for Event-Based Insider Threat Hunting

  • Thibault Leblanc,
  • Neda Baghalizadeh-Moghadam,
  • Frédéric Cuppens,
  • Nora Boulahia-Cuppens

摘要

As organizations navigate the complexities of the digital era, they face a growing and particularly insidious threat: internal cyber-attacks. These insider threats, whether intentional or unintentional, present unique cybersecurity challenges. This paper introduces a novel approach to real-time anomaly detection for insider threat hunting, leveraging sliding windows to analyze event streams at the finest granularity, event by event. Our methodology employs a range of unsupervised learning algorithms, including conventional machine learning methods, graph neural networks (GNN), and natural language processing (NLP) techniques, to identify anomalies without prior knowledge of potential attacks. Using sliding windows, we ensure continuous and contextual analysis, enabling real-time processing and detection. This approach is evaluated using the CERT insider threat dataset, renowned for its richness and believability, which simulates the activities of a large organization over an extended period, offers between 0.95 and 1 in usual ML metrics, and a true real-time process. By unifying these techniques under a shared framework, our solution aims to provide a robust and practical approach for the real-time detection of anomalies involved in insider threat activities, thereby enabling organizations to protect their critical assets from potential damage by malicious or negligent insiders.