Anomaly-based insider threat detection using deep autoencoders

In recent years, the malicious insider threat has become one of the most significant cyber security threats that an organisation can be subject to. Due to an insider's natural ability to evade deployed information security mechanisms such as firewalls and endpoint protections, the detection of an insider threat can be challenging. Moreover, compared to the volume of audit data that an organization collects for the purpose of intrusion/anomaly detection, the digital footprint left by a malicious insider's action can be minuscule. To detect insider threats from large and complex audit data, in this paper, we propose a detection system that implements anomaly detection using an ensemble of deep autoencoders. Each autoencoder in the ensemble is trained using a certain category of audit data, which represents a user's normal behaviour accurately. The reconstruction error obtained between the original and the decoded data is used to measure whether any behaviour is anomalous or not. After the data has been processed by the individually trained autoencoders and the respective reconstruction errors obtained, a joint decision-making mechanism is used to report a user's overall maliciousness score. Numerical experiments are conducted using a benchmark dataset for insider threat detection. Results indicate that the proposed detection system is able to detect all of the malicious insider actions with a reasonable false positive rate.