Malicious insider attacks represent one of the most damaging threats to networked systems of companies and government agencies. There is a unique set of challenges that come with insider threat detection in terms of hugely unbalanced data, limited ground truth, as well as behaviour drifts and shifts. This work proposes and evaluates a machine learning based system for user-centered insider threat detection. Using machine learning, analysis of data is performed on multiple levels of granularity under realistic conditions for identifying not only malicious behaviours, but also malicious insiders. Detailed analysis of popular insider threat scenarios with different performance measures are presented to facilitate the realistic estimation of system performance. Evaluation results show that the machine learning based detection system can learn from limited ground truth and detect new malicious insiders in unseen data with a high accuracy. Specifically, up to 85% of malicious insiders are detected at only 0.78% false positive rate. The system is also able to quickly detect the malicious behaviours, as low as 14 minutes after the first malicious action. Comprehensive result reporting allows the system to provide valuable insights to analysts in investigating insider threat cases.

中文翻译：

---

使用机器学习分析内部威胁检测的数据粒度级别

恶意内部攻击是对公司和政府机构的网络系统最具破坏性的威胁之一。内部威胁检测带来了一系列独特的挑战，包括极其不平衡的数据、有限的真实情况以及行为漂移和转变。这项工作提出并评估了一种基于机器学习的系统，用于以用户为中心的内部威胁检测。使用机器学习，在现实条件下在多个粒度级别上执行数据分析，不仅可以识别恶意行为，还可以识别恶意内部人员。详细分析了具有不同性能度量的流行内部威胁场景，以促进对系统性能的现实估计。评估结果表明，基于机器学习的检测系统可以从有限的基本事实中学习，并在看不见的数据中以高精度检测新的恶意内部人员。具体而言，高达 85% 的恶意内部人员仅以 0.78% 的误报率被检测到。系统还能够快速检测恶意行为，在第一次恶意操作后低至 14 分钟。综合结果报告使系统能够为分析人员调查内部威胁案例提供有价值的见解。