Interactive Machine Learning for Data Exfiltration Detection: Active Learning with Human Expertise

Data exfiltration is a serious threat to organizations. Such exfiltrations cause breach events that can lead to millions of dollars of loss. Perimeter defense is not enough by itself since successful exploits from insiders can also be very damaging. Internal network user activities need to be monitored to detect malicious actions. Automatic machine learning methods can be applied for network anomaly detection, but they create a lot of false alarms. Domain experts can identify malicious users, but they are unable to process large volumes of data. Interactive machine learning (iML) deals with this tradeoff by creating an efficient collaboration between domain experts and machine learning algorithms. Previous research in iML has focused mainly on collaboration with non-experts. The design and requirements for expertise-driven iML have yet to be delineated for cybersecurity applications. In this research, we proposed an Active Learning (AL) model trained with outputs from a liberal (outputting many false alarms as well as possible hits) anomaly detection (AD) criterion to study expert-iML collaboration in anomaly detection. The results showed that: iML in this context can prune false alarms and minimize misses; the performance/compatibility tradeoff that typically occurs in conventional machine learning updates may be less salient in iML. We suggest that compatibility between experts and algorithms can be improved by presenting information about feature relevance during the training process.