%0 Conference Proceedings
%T Anomaly Detection for Insider Threats: An Objective Comparison of Machine Learning Models and Ensembles
%+ Heriot-Watt University [Edinburgh] (HWU)
%+ Fortinet UK Limited
%A Bartoszewski, Filip, Wieslaw
%A Just, Mike
%A Lones, Michael, A.
%A Mandrychenko, Oleksii
%Z Part 7: Machine Learning for Security
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 36th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC)
%C Oslo, Norway
%Y Audun Jøsang
%Y Lynn Futcher
%Y Janne Hagen
%I Springer International Publishing
%3 ICT Systems Security and Privacy Protection
%V AICT-625
%P 367-381
%8 2021-06-22
%D 2021
%R 10.1007/978-3-030-78120-0_24
%K Anomaly detection
%K Insider threat
%K Machine learning
%K Ensembles
%Z Computer Science [cs]Conference papers
%X Insider threat detection is challenging due to the wide variety of possible attacks and the limited availability of real threat data for testing. Most previous anomaly detection studies have relied on synthetic threat data, such as the CERT insider threat dataset. However, several previous studies have used models that arguably introduce bias, such as the selective use of metrics, and reusing the same dataset with the prior knowledge of the answer labels. In this paper, we create and test a host of models following some guidelines of good conduct to produce what we believe to be a more objective comparison of these models. Our results indicate that majority voting ensembles are a simple and cost-effective way of boosting the quality of results from individual machine learning models, both on the CERT data and on a version augmented with additional attacks. We include a comparison of models with their hyperparameters optimized for different target metrics.
%G English
%Z TC 11
%2 https://inria.hal.science/hal-03746050/document
%2 https://inria.hal.science/hal-03746050/file/512098_1_En_24_Chapter.pdf
%L hal-03746050
%U https://inria.hal.science/hal-03746050
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-SEC
%~ IFIP-AICT-625