Litcius/Paper detail

DANTE: Predicting Insider Threat using LSTM on system logs

Qicheng Ma, Nidhi Rastogi

202027 citationsDOI

Abstract

Insider threat is one of the most pernicious threat vectors to information and communication technologies (ICT) across the world due to the elevated level of trust and access that an insider is afforded. This type of threat can stem from both malicious users with a motive as well as negligent users who inadvertently reveal details about trade secrets, company information, or even access information to malignant players. In this paper, we propose a novel approach that uses system logs to detect insider behavior using a special recurrent neural network (RNN) model. Ground truth is established using DANTE and used as baseline for identifying anomalous behavior. For this, system logs are modeled as a natural language sequence and patterns are extracted from these sequences. We create workflows of sequences of actions that follow a natural language logic and control flow. These flows are assigned various categories of behaviors - malignant or benign. Any deviation from these sequences indicates the presence of a threat. We further classify threats into one of the five categories provided in the CERT insider threat dataset. Through experimental evaluation, we show that the proposed model can achieve 93% prediction accuracy.

Topics & Concepts

Insider threatInsiderComputer scienceWorkflowBaseline (sea)Sequence (biology)Natural languageArtificial intelligenceComputer securityArtificial neural networkRecurrent neural networkMachine learningDatabasePolitical scienceGeneticsGeologyOceanographyLawBiologyNetwork Security and Intrusion DetectionSoftware System Performance and ReliabilityInformation and Cyber Security
DANTE: Predicting Insider Threat using LSTM on system logs | Litcius