An Insider Threat Detection Model Using One-Hot Encoding and Near-Miss Under-Sampling Techniques

Insider threats are malicious acts (e.g., data theft, fraud, and sabotage) which are very difficult to detect as they are conducted by an authorized user. The existing research in the topic of detecting insider threat mostly concentrated on wide-ranging insider attack scenarios. Moreover, the skewed issue that could occur due to an improper data encoding and the imbalanced classes of the dataset are not addressed. Thus, to enhance the existing insider threat prevention approaches, this paper proposes an insider data leakage detection model that focus on detecting the most serious attack scenario where a malicious insider executes an attack before his/her leaving from an organization. The model embeds multi-data granularity methods (e.g., data encoding and scaling, one-hot encoding, and Near Miss under sampling) for the aim of addressing the possible bias of an improper encoding and the imbalance classes of dataset. Several machine learning classifiers are also employed to detect insider data leakage cases by using different classification perspectives. The model is validated using The CERT Insider Threat Dataset to assess its performance in comparison to the ground truth, as a proof of concept. The results confirm that the proposed model enhances the existing models over the similar dataset with an AUC score of 0.94.