Detecting Unknown Insider Threat Scenarios

Abstract

Problems from the inside of an organization's perimeters are a significant threat, since it is very difficult to differentiate them from outside activity. In this dissertation, evaluate an insider threat detection motto on its ability to detect different type of scenarios that have not previously been identify or contemplated by the developers of the system. We show the ability to detect a large variety of insider threat scenario instances We report results of an ensemble-based, unsupervised technique for detecting potential insider threat, insider threat scenarios that robustly achieves results. We explore factors that contribute to the success of the ensemble method, such as the number and variety of unsupervised detectors and the use of existing knowledge encoded in scenario based detectors made for different known activity patterns. We report results over the entire period of the ensemble approach and of ablation experiments that remove the scenario-based detectors.