Probabilistic Graphical Model on Detecting Insiders: Modeling with SGD-HMM

Abstract

This paper presents a novel approach to detect malicious behaviors in computer systems. We propose the use of varying granularity levels to represent users' log data: Session-based, Day-based, and Week-based. A user's normal behavior is modeled using a Hidden Markov Model. The model is used to detect any deviation from the normal behavior. We also propose a Sliding Window Technique to identify malicious activity effectively by considering the near history of user activity. We evaluated our results using Receiver Operating Characteristic curves (or ROC curves). Our evaluation shows that the results are superior to existing research by improving the detection ability and reducing the false positive rate. Combining sliding window technique with session-based system gives a fast detection performance.