Supervised and Unsupervised methods to detect
Insider Threat from Enterprise Social and Online Activity Data


Gaurang Gavai
1+, Kumar Sricharan1, Dave Gunning1, John Hanley1, Mudita Singhal1,
and Rob Rolleston
2
 

1Palo Alto Research Center, Palo Alto CA 94304 USA
{ggavai, skumar, dgunning, jhanley, msinghal}@parc.com 

 

2Palo Alto Research Center East, Webster NY 14580 USA 

rrolleston@parc.com

 

 

Abstract

Insider threat is a significant security risk for organizations, and detection of insider threat is of paramount concern to organizations. In this paper, we attempt to discover insider threat by analyzing enterprise social and online activity data of employees. To this end, we process and extract relevant features that are possibly indicative of insider threat behavior. This includes features extracted from social data including email communication patterns and content, and online activity data such as web browsing patterns, email frequency, and file and machine access patterns. Subsequently, we take two approaches to detect insider threat: (i) an unsupervised approach where we identify statistically abnormal behavior with respect to these features using state-of-the-art anomaly detection methods, and (ii) a supervised approach where we use labels indicating when employees quit the company as a proxy for insider threat activity to design a classifier. We test our approach on a real world data set with artificially injected insider threat events. We obtain a ROC score of 0.77 for the unsupervised approach, and a classification accuracy of 73.4% for the supervised approach. These results indicate that our proposed approaches are fairly successful in identifying insider threat events. Finally, we build a visualization dashboard that enables managers and HR personnel to quickly identify employees with high threat risk scores which will enable them to take suitable preventive measures and limit security risk.

Keywords: Anomaly detection, insider threat detection, quitting detection, enterprise social data

 

+: Corresponding author: Gaurang Gavai
Tel: +1-(650)-812-4760

 

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 6, No. 4, pp. 47-63, December 2015 [pdf]