SaTC: CORE: Small: Deep Learning for Insider Threat Detection

Insiders are malicious people within organizations who abuse their authorized access in a manner that compromises the confidentiality, integrity, or availability of information systems. Attacks from insiders are hard to detect and can cause significant loss to organizations. While the problem of insider threat detection has been studied for a long time, the traditional machine learning-based detection approaches, which heavily rely on feature engineering, are hard to accurately capture the behavior difference between insiders and normal users due to the dynamic and adaptive nature of insider threats.

Advanced deep learning techniques provide a new paradigm to learn end-to-end insider threat detection models from complex user behavior data. This project develops a deep learning framework for insider threat detection. The project’s novelties are the development of self-supervised user behavior representation learning, few-shot learning for malicious session detection, reinforcement learning for adaptive behavior detection, and counterfactual explanations based malicious activity detection.

The project’s broader significance and importance are to provide a novel toolset for detecting and mitigating internal security risks, which can be benefit industries and governments who are frequently under attacks from malicious insiders.

This project develops novel deep learning approaches to detect malicious sessions through a) developing a self-supervised representation learning approach to encode user sessions into a low-dimensional embedding space without using any manually labeled data, b) advancing a few-shot learning framework via disentangled representation learning to detect malicious sessions with subtle activity changes, c) adapting reinforcement learning framework to identify dynamically evolving insider attacks, and d) proposing a counterfactual explanation approach to detect malicious activities in malicious sessions. The framework has the potential to extend to different types of fraud detection.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.