Daily insider threat detection with hybrid TCN transformer architecture.

Journal: Scientific reports
Published Date:

Abstract

Internal threats are becoming more common in today's cybersecurity landscape. This is mainly because internal personnel often have privileged access, which can be exploited for malicious purposes. Traditional detection methods frequently fail due to data imbalance and the difficulty of detecting hidden malicious activities, especially when attackers conceal their intentions over extended periods. Most existing internal threat detection systems are designed to identify malicious users after they have acted. They model the behavior of normal employees to spot anomalies. However, detection should shift from targeting users to focusing on discrete work sessions. Relying on post hoc identification is unacceptable for businesses and organizations, as it detects malicious users only after completing their activities and leaving. Detecting threats based on daily sessions has two main advantages: it enables timely intervention before damage escalates and captures context-relevant risk factors. Our research introduces a novel detection framework for single-day employee behavior detection to address these issues. This framework combines the strengths of Temporal Convolutional Networks (TCNs) and the Transformer architecture. The integrated model uses sliding window technology to segment user logs into time series for model input. The TCN component employs causal and dilated convolutions to maintain temporal order and expand the receptive field, enhancing the detection of long-term patterns. The Transformer models global dependencies in sequences, improving the detection of complex long-term behaviors. The model detects anomalies at each time step and achieves a recall rate of [Formula: see text] with a sequence length of 30 days. Experimental results show that this method can accurately detect malicious behavior daily, promptly identify such actions, and effectively mitigate internal threats in complex environments.

Authors

  • Xiaoyun Ye
    School of information and control engineering, Qingdao University of Technology, Qingdao, 266520, China. yexiaoyun@qut.edu.cn.
  • Huangrongbin Cui
    School of information and control engineering, Qingdao University of Technology, Qingdao, 266520, China.
  • Faqin Luo
    School of information and control engineering, Qingdao University of Technology, Qingdao, 266520, China.
  • Jinlong Wang
  • Xiaoyun Xiong
    School of information and control engineering, Qingdao University of Technology, Qingdao, 266520, China.
  • Wencui Zhang
    School of business, Qingdao Binhai University, Qingdao, 266555, China.
  • Jiawei Yu
    College of Engineering, Shibaura Institute of Technology, Tokyo 135-8548, Japan.
  • Wenhao Zhao
    Department of Spine Surgery, The Affiliated Hospital of Qingdao University, Qingdao, China.