Insider Threat Detection Using Supervised Machine Learning Algorithms on an Extremely Imbalanced Dataset

Abstract

An insider threat can take on many forms and fall under different categories. This includes: malicious insider, careless/unaware/uneducated/naïve employee, and third-party contractor. A malicious insider, which can be a criminal agent recruited as a legitimate candidate or a disgruntled employee seeking revenge, is likely the most difficult category to detect, prevent and mitigate. Some malicious insiders misuse their positions of trust by disrupting normal operations, while others transfer confidential or vital information about the victim organisation which can damage the employer's marketing position and/or reputation. In addition, some just lose their credentials (i.e. usernames and passwords) which can then be abused or stolen by an external hacker to breach the network using their name. Additionally, malicious insiders have free rein to roam a victim organisation unconstrained which can lead to successfully collecting personal information of other colleagues and/or clients, or even installing malicious software into the system/network.

Machine learning techniques have been studied in published literature as a promising solution for such threats. However, they can be bias and/or inaccurate when the associated dataset is hugely imbalanced. In this case, an inaccurate classification could result in a huge cost to individuals and/or organisations. Therefore, this paper addresses the insider threat detection on an extremely imbalanced dataset which includes employing a popular balancing technique known as spread subsample. Our results show that although balancing our dataset using this technique did not improve performance metrics such as: classification accuracy, true positive rate, false positive rate, precision, recall, and f-measure it did improve the time taken to build the model and the time taken to test the model. Additionally, we realised that running our chosen classifiers with parameters other than the default ones has an impact on both balanced and imbalanced scenarios but the impact is significantly stronger when using the imbalanced dataset.