Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats

Haidar, Diana and Gaber, Mohamed Medhat (2018) Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats. In: 2018 International Joint Conference on Neural Networks (IJCNN), 8-13 July 2018, Rio de Janeiro, Brazil.

[img]
Preview
Text
bare_conf.pdf

Download (839kB)

Abstract

The malicious insider threat is getting increased concern by organisations, due to the continuously growing number of insider incidents. The absence of previously logged insider threats shapes the insider threat detection mechanism into a one-class anomaly detection approach. A common shortcoming in the existing data mining approaches to detect insider threats is the high number of False Positives (FP) (i.e. normal behaviour predicted as anomalous). To address this shortcoming, in this paper, we propose an anomaly detection framework with two components: one-class modelling component, and progressive update component. To allow the detection of anomalous instances that have a high resemblance with normal instances, the one-class modelling component applies class decomposition on normal class data to create k clusters, then trains an ensemble of k base anomaly detection algorithms (One-class Support Vector Machine or Isolation Forest), having the data in each cluster used to construct one of the k base models. The progressive update component updates each of the k models with sequentially acquired FP chunks; segments of a predetermined capacity of FPs. It includes an oversampling method to generate artificial samples for FPs per chunk, then retrains each model and adapts the decision boundary, with the aim to reduce the number of future FPs. A variety of experiments is carried out, on synthetic data sets generated at Carnegie Mellon University, to test the effectiveness of the proposed framework and its components. The results show that the proposed framework reports the highest F1 measure and less number of FPs compared to the base algorithms, as well as it attains to detect all the insider threats in the data sets.

Item Type: Conference or Workshop Item (Speech)
Uncontrolled Keywords: Anomaly detection;Clustering algorithms;Data models;Feature extraction;Adaptation models;Electronic mail;Machine learning
Subjects: G400 Computer Science
Divisions: Faculty of Computing, Engineering and the Built Environment > School of Computing and Digital Technology > Enterprise Systems
Depositing User: Mohamed Gaber
Date Deposited: 29 Oct 2018 14:22
Last Modified: 29 Oct 2018 14:22
URI: http://www.open-access.bcu.ac.uk/id/eprint/6504

Actions (login required)

View Item View Item

Research

In this section...