Insider-threat detection using Gaussian Mixture Models and Sensitivity Profiles

The insider threat is one of the most challenging problems to detect due to its complex nature and significant impact on organisations. Insiders pose a great threat on organisations due to their knowledge on the organisation and its security protocols, their authorised access to the organisation's resources, and the difficulty of discerning the behaviour of an insider threat from a normal employee's behavior (Gheyas and Abdallah, 2016). As a result, the insider-threat field faces the challenge of developing detection solutions that are able to detect threats without generating a great number of false positives, and are able to take into consideration the non-technical aspect of the problem. This paper introduces a novel automated anomaly detection method that uses Gaussian Mixture Models for modelling the normal behaviour of employees to detect anomalous behaviour that may be malicious. The paper also introduces a novel approach to insider-threat detection that capitalises on the knowledge of security experts during analysis using visual analytics and sensitivity profiles which is a novel approach to re-contextualise detection output by considering outside, qualitative, non-technical factors that analysts may be privy to, but not the detection method. A feasibility study with experts in threat detection was conducted to evaluate the detection performance of the proposed solution and its usability. The results demonstrate the success of designing a solution that builds on the knowledge of security experts during analysis and reduces the number of false positives generated by automated anomaly detection. The work presented in the paper also demonstrates the potential of introducing more methods for capitialising on the knowledge of security experts to improve the false negative rate, and the potential of designing sensitivity profiles.