Detection of Insider Threats Using Data Science Strategies

Insider threats, which represent a significant and costly risk to organizations, are challenging to detect, and data science can be successfully used to find and diagnose these issues. Previous research has focused on detection effectiveness using various algorithms with little focus on the features and their impact on the detection. Knowing the feature importance using ensemble decision tree algorithms and an extensible forensic methodology, which compiles and evaluates these features, provides business value by mitigating risk and formulating response strategies. Using labeled data from Carnegie Mellon University Insider Threat Test Dataset, the XGBoost algorithm is able to accomplish this complex detection goal while Isolation Forest struggled to produce meaningful results without producing large numbers of false detections. Based on these results, organizations collecting logs and using insider threat knowledge sets can generate and customize features for detections and risk mitigations.