Evolving Insider Threat DetectionOutlineSlide 3Insider Threat Detection using unsupervised Learning based on GraphOutlines: Unsupervised LearningSlide 6Insider Threat is a real threatInsider Threat : ContinueSlide 9Related workRelated Approaches and comparison with proposed solutionsWhy Unsupervised Learning?Why Stream MiningProposed MethodGBAD ApproachUnsupervised Pattern DiscoveryThree types of anomaliesExample of graph with normative pattern and different types of anomaliesSlide 19Characteristics of Data StreamDataStream ClassificationEnsemble of ClassifiersProposed Ensemble based Insider Threat Detection (EIT)Ensemble based Classification of Data Streams (unsupervised Learning--GBAD)EIT –U pseudocodeExperimentsA Sample system call record from MIT Lincoln DatasetToken Sub-graphSlide 29Performance Contd..Slide 31Slide 32Slide 33Slide 34Evolving Insider Threat Detection using Supervised LearningSlide 36Outlines: Supervised LearningSlide 38Why one class SVMSlide 40One class SVM (OCSVM)Slide 44Ensemble based Classification of Data Streams (supervised Learning)EIT –S pseudo code (Testing)EIT –S pseudocodeFeature Set extractedPERFORMANCE…..Slide 50Slide 51Conclusion & Future WorkPublicationReferencesThank YouEvolving Insider Threat Evolving Insider Threat DetectionDetectionPallabi ParveenDr. Bhavani Thuraisingham (Advisor)Dept of Computer ScienceUniversity of Texas at DallasFunded by AFOSROutlineOutlineEvolving Insider threat DetectionUnsupervised LearningSupervised learningjSystem traces System Traces weeki+1weekiEvolving Insider Threat DetectionSystem log Anomaly?Feature Extraction& SelectionTesting on Data fromweeki+1Online learning Gather Data fromWeekiFeature Extraction& SelectionLearning algorithmSupervised - One class SVM, OCSVMUnsupervised - Graph based Anomaly detection, GBADEnsemble based Stream MiningEnsemble of ModelsUpdate modelsInsider Threat Detection Insider Threat Detection using unsupervised using unsupervised Learning based on GraphLearning based on GraphOutlines: Unsupervised LearningOutlines: Unsupervised LearningInsider ThreatRelated WorkProposed MethodExperiments & ResultsDefinition of an Insider An Insider is someone who exploits, or has the intention to exploit, their legitimate access to assets for unauthorised purposesInsider Threat is a real threatInsider Threat is a real threatComputer Crime and Security Survey 2001$377 million financial losses due to attacks49% reported incidents of unauthorized network access by insidersInsider Threat : ContinueInsider Threat : ContinueInsider threat◦Detection◦PreventionDetection based approach: ◦Unsupervised learning, Graph Based Anomaly Detection◦Ensembles based Stream MiningFeature Extraction& Selection Anomaly?jSystem traces System Traces weeki+1weekiEvolving Insider Threat DetectionSystem logTesting on Data fromweeki+1Online learning Gather Data fromWeekiFeature Extraction& SelectionLearning algorithmSupervised - One class SVM, OCSVMUnsupervised - Graph based Anomaly detection, GBADEnsemble based Stream MiningEnsemble of ModelsUpdate modelsRelated workRelated work"Intrusion Detection Using Sequences of System Calls," Supervised learning by Hofmeyr "Mining for Structural Anomalies in Graph-Based Data Representations (GBAD) for Insider Threat Detection." Unsupervised learning by Staniford-Chen and Lawrence HolderAll are static in nature. Cannot learn from evolving Data streamRelated Approaches and comparison with Related Approaches and comparison with proposed solutions proposed solutions Techniques Proposed ByChallengesSupervised/UnsupervisedConcept-drift Insider Threat Graph-basedForrest, Hofmeyr Supervised X √ XMasud , Fan (Stream Mining) Supervised √ N/A N/ALiu Unsupervised X √ XHolder (GBAD) Unsupervised X √ √Our Approach (EIT)Unsupervised √ √ √Why Unsupervised Learning?Why Unsupervised Learning?One approach to detecting insider threat is supervised learning where models are built from training data.Approximately .03% of the training data is associated with insider threats (minority class)While 99.97% of the training data is associated with non insider threat (majority class). Unsupervised learning is an alternative for this.Why Stream MiningWhy Stream MiningAll are static in nature. Cannot learn from evolving Data streamData ChunkPrevious decision boundaryCurrent decision boundary Data StreamAnomaly DataNormal DataInstances victim of concept driftProposed MethodProposed MethodGraph based anomaly detection (GBAD, Unsupervised learning) [2]Graph based anomaly detection (GBAD, Unsupervised learning) [2]Ensemble based Stream MiningGBAD ApproachGBAD ApproachDetermine normative pattern S using SUBDUE minimum description length (MDL) heuristic that minimizes:M(S,G) = DL(G|S) + DL(S)Unsupervised Pattern DiscoveryUnsupervised Pattern DiscoveryGraph compression and theminimum description length (MDL)principleThe best graphical pattern S minimizes the description length of S and the description length of the graph G compressed with pattern Swhere description length DL(S) is the minimum number of bits needed to represent S (SUBDUE)Compression can be based on inexact matches to pattern))|()((min SGDLSDLSS1S1S1S1S1S2S2S2Three types of anomaliesThree types of anomaliesThree algorithms for handling each of the different anomaly categories using Graph compression and the minimum description length (MDL) principle:1. GBAD-MDL finds anomalous modifications2. GBAD-P (Probability) finds anomalous insertions3. GBAD-MPS (Maximum Partial Substructure) finds anomalous deletionsExample of graph with normative pattern Example of graph with normative pattern and different types of anomaliesand different types of anomaliesA BCDGA BCDA BEDA BCDA BCD GBAD-MDL (modification) GBAD-P (insertion)GBAD-MPS (Deletion)GCGGNormativeStructureProposed MethodProposed MethodGraph based anomaly detection (GBAD, Unsupervised learning) Graph based anomaly detection (GBAD, Unsupervised learning) Ensemble based Stream MiningCharacteristics of Data StreamCharacteristics of Data Stream◦Continuous flow of dataNetwork trafficSensor dataCall center records◦Examples:DataStream ClassificationDataStream ClassificationEnsemble of ClassifiersEnsemble of ClassifiersC1C2C3x,?++-inputClassifierIndividual outputsvoting+Ensemble outputProposed Ensemble based Insider Proposed Ensemble based
View Full Document
Unlocking...