SoK: A Systematic Review of Insider Threat Detection

Aram Kim¹, Junhyoung Oh², Jinho Ryu¹, Jemin Lee², Kookheui Kwon¹, and Kyungho Lee²⁺

¹Korea Institute of Nuclear Nonproliferation and Control, Dajeon, South Korea

{aramkim, halloyu, vivacita}@kinac.re.kr

²Korea University, Seoul, South Korea

{ohjun02, jeminjustinlee, kevinlee}@korea.ac.kr

Abstract

Due to the subtle nature of the insider threat, government bodies and corporate organizations are forced to face the insider threat that is both malicious and accidental. In this paper, we provide a systematic understanding of the past literature that addresses the issues with insider threat detection. Our review consists of three items. First, we examine the different types of insider threats based on insider characteristics and insider activities. Second, we explore the sensors which make possible detecting insider threats in an automated way, and the public datasets available for research. Finally, the detection approaches used in related studies are examined from the perspective of technology, learning, input category, detection target, and interpretability. In particular, we have covered the state-of-the-art deep learning literature that was not covered in previous surveys.

Keywords: insider threat detection, machine learning, deep learning, survey.

+: Corresponding author: Kyungho Lee
Center for Information Security Technologies (CIST), Korea University, Seoul, Tel: +82-(0)2-3290-4885,
Web: https://www.rimala.net/