Viability of novel insider threat detection framework on augmented real-world and simulated datasets
Over the past few years, Insider threats have been a growing concern for the organizations. The concerns have arisen due to the reported cases of insider activities damages that have far out weighted the damaged caused by external factors. This have led to many studies that have been performed in at...
Saved in:
| Main Author: | |
|---|---|
| Other Authors: | |
| Format: | Theses and Dissertations |
| Language: | English |
| Published: |
2019
|
| Subjects: | |
| Online Access: | http://hdl.handle.net/10356/78826 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | Over the past few years, Insider threats have been a growing concern for the organizations. The concerns have arisen due to the reported cases of insider activities damages that have far out weighted the damaged caused by external factors. This have led to many studies that have been performed in attempt to identify insider threats. However, despite the widespread interest, organizations that have experienced insider threats are often reluctant to share the relevant data for further research studies.
Recently, a novel insider threat detection framework which attempts to identify potential insider threats by building employee profiles based on the observed aspect-based sentiments in their emails was proposed. However, there is no available real-world email corpus with insider threat scenario that can be used to appropriately evaluate the feasibility of the framework. In this work, the working mechanism of the framework is first analysed and understood. Following that, the framework is applied on two different synthetic datasets namely, TWOS and Enron plus. Then in-depth analysis is performed on the results to estimate the viability of the framework in the real-world.
When we applied the simulation dataset TWOS to insider threat detection framework, we found that the emotion polarity can correspond to three classical psychological behaviour theories. Then by comparing the accuracy obtained from TWOS and Enron plus, we further analysed the performance of the model on different datasets. Also, by analysing the difference between the actual situation and the results from the anomaly detection, it shows that anomaly detection results based on some aspects can agree with reality, but others cannot evaluate the user performance. Therefore, we believe that irrelevant aspects may limit the detection capabilities of the insider threat detection framework. |
|---|