Detecting Insider Threats with Attention-Based Architecture

paying attention to the insider threat n.w
1 / 15
Embed
Share

The research focuses on utilizing an attention-based architecture, specifically BERT, for real-time detection of insider threats by analyzing user behaviors in electronic logs. The study involves transforming raw data into actionable information for DSML through preprocessing, sequencing, and batch creation. With a data source of over a billion authentication records, the project aims to enhance cybersecurity by leveraging advanced deep learning models like BERT.

  • Insider Threats
  • Attention-Based Architecture
  • BERT
  • Data Engineering
  • Cybersecurity
rayaanacharya
bcha Follow

Uploaded on | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Paying Attention to the Insider Threat SEKE 2022 July 9, 2022 Kamran Sartipi, PhD Eduardo Lopez, PhD Candidate Department of Computer Science Information Systems McMaster University East Carolina University Hamilton, ON, Canada Greenville, NC, USA. lopeze1@mcmaster.ca sartipik16@ecu.edu www.cs.ecu.edu/sartipi 1

  2. Insider Treads The misuse of information systems by internal actors is an ever- growing concern in organizations of all types. The timely detection of an insider threat is as important as it is difficult. Analyzing user behaviours recorded in electronic logs require significant computing resources and the capability to find and interpret complex patterns in temporal sequences that may contain irrelevant, temporary or novel elements. In this research, we use an attention-based architecture, namely BERT to model user behaviour that enables near real-time insider threat detection. 2

  3. Architecture Pipelines Data Engineering: Transforming raw data into information for DSML: Preprocessing; Sequencing; Batch creation. DSML: We use BERT (Bidirectional Encoder Representation from Transformer). Software Engineering: providing interaction with users via customized user- interfaces and API calls to the DSML models. 3

  4. Data Engineering Los Alamos Cybersecurity Events Dataset: we select Authenticationsas the source of analysis. 1.051 billion authentication records in the dataset. Each record includes: Time (in seconds); Users; Computers (src / des); Type of authentication. A review of the data shows that the user behavior may contain 250 to 3,000 tokens. We select 2048 tokens as the maximum sequence length. Vocabulary size is around 30K. 4

  5. DSML: Transformers Architecture An encoder/decoder architecture based on concept of Attention . Original implementation uses 6 stacked encoders and 6 stacked decoders. Positional encoding calculates the words positional embeddings. Encoder has multiple, parallel self- attention heads, each head can consider different attributes of the embeddings. 5

  6. BERT We adopted BERT as the deep learning architecture for the detection of the threat. The original BERT is composed of 12 layers (i.e., stacked Transformer encoders) using 768 dimensions for the hidden states and 12 attention heads. The total number of trainable parameters is 109M. Given the time constraints, we reduced the model size by decreasing the number of heads of encoders to six and the hidden state size to 384. 6

  7. BERT Training Three distinct time-windows used for the insider threat detection. Extended time-window: historical data are used for pre-training. Based on domain knowledge, 14 days provides sufficient data to capture repetitive user patterns. Daily time-window: Once the model has been pre- trained, a daily fine-tuning will take place. By using this strategy, the user behavior model is kept current with novel patterns performed by users. This can be done overnight. Per-second time window: The system will use the information collected within the log in real-time, and performs the analysis using the user behavior model. 7

  8. Insider Threat Detection A key advantage of a BERT-centric architecture is the ability to perform transfer learning. Any token in the sequence can be masked and predicted with the model. We select the current second (t0) in pre-processed raw data and create the sequence to be inputted in the model. Figure displays six different instances for analysis. 8

  9. Insider Threat Detection (Normal Cases) The first three sequences correspond to normal user behaviors captured in the data. All predicted values with probabilities more than 50% are displayed The first sequence has 565 tokens; and user-name is masked. The model suggested User U2753 with a probability of 90.56%. The model is quite certain about the prediction, and the actual value is also U2753. Therefore, we can consider the behavior as normal. 9

  10. Insider Threat Detection (Normal Cases) The second sequence has 216 tokens in it; We mask the source computer. The two highest-probability predictions cumulatively reach the 50% threshold: C568 and C62. The actual source computer used by the userU8 was C62, so the model is once again correct with no indication of an insider threat taking place. The third sequence is very short (85 tokens), and we mask the destination computer. The correct computer C616 is predicted, so we can consider the behavior a normal one. 10

  11. Insider Threat Detection (Threat Cases) Fourth case: we mask the source computer for user U8946 in a 693-tokens sequence. Two computer predictions accumulate beyond 50%: C2388 and C3610, None of them is the actual computer in the data, i.e., C17693. This is an indicator of an insider threat that would be communicated to a human for further review. The incorrect prediction by the model is a correct indicator of an insider threat. 11

  12. Insider Threat Detection (Threat Cases) Fifth case: sequence is 397-tokens long, and we mask the source computer. The model is strongly convinced (99% probability) that the source computer must be C19038. However, the actual source computer is different, which is a clear indicator of an abnormal event The model has high confidence in a prediction that ends up being incorrect. 12

  13. Insider Threat Detection (Threat Cases) Last Case: In this case we mask the destination computer. Many predictions are needed to reach the 50% threshold which can be interpreted as the model having difficulties to predict with a high-level of certainty. The actual value C370 is not in the prediction group, which again points to a potential insider threat and shall be sent to a human for review. 13

  14. Conclusion We presented the insider threat detection as an attention-based machine learning problem. We demonstrated how to identify a potential insider threat in near real-time using a well-defined three-step machine learning process. We demonstrated how a Transformer deep learning configuration based on the BERT architecture achieves this objective by leveraging the strengths of an attention-based configuration. 14

  15. Thanks & Questions? 15

Related


No related presentations.

More Related Content