Insider Threat Detection Model Using Anomaly-Based Isolation Forest Algorithm

Insider attacks may inflict far greater damage to an organization than outsider threats since insiders are authorized users who are acquainted with the business’s system, making detection harder. Many techniques to detecting insider threats have been developed, but they are neither flexible nor resilient owing to different obstacles (e.g., lack of real-world dataset and highly skewed class distribution of the available dataset), making insider threat detection an understudied research field. Previous techniques attempted to solve the dataset’s imbalance issue by increasing or lowering the observations of the dataset’s classes, however this might lead to underfitting and overfitting problems. We present an insider threat detection model that addresses the class imbalance problem at the algorithm level using anomaly-based techniques, as an enhancement over previous approaches. To limit the effect of skewed class distribution on insider threat detection, the Isolation Forest (IF) technique is used. The model is verified using the benchmarked CERT’s insider threat dataset, which is significantly unbalanced, with a small number of malicious cases vs a large number of non-malicious instances. Several contamination ratios of IF’s parameters are used to verify the model’s performance throughout a range of anomaly scores. The experimental findings reveal that the suggested model handles the dataset class imbalance problem with an accuracy score of 98%. The findings are compared to the baseline technique to demonstrate how the proposed model enhances detection performance and addresses the problem of data imbalance. The findings indicate the usefulness of the suggested approach for identifying insider threats when compared to previous studies.