Robust Anomaly-Based Insider Threat Detection Using Graph Neural Network

Misuse or malicious access to critical assets of information systems by insiders usually causes significant loss to organizations. The issue of insider threat detection for information systems has received many researchers' attention in both security and data mining fields, and a lot of related research results were presented. However, there are still many challenges in capturing the behavior difference between malicious insiders and normal users accurately, such as lack of labeled insider threats, the subtle and adaptive nature of insider threats, complexity, heterogeneity, sparsity of the underlying data, etc. To detect insider threats with large and complex audit data, a Multi-Edge Weight Relational Graph Neural Network method (MEWRGNN) for robust anomaly detection is proposed in this paper. Unlike most existing approaches, the MEWRGNN adopts several graph neural networks to capture the contextual relationship of user behaviors over a period of time, which is a critical factor for achieving accurate anomaly identification. The MEWRGNN achieves a certain degree of interpretability through ranking the contribution of different edge-representation features. Evaluation experimental results demonstrate that the MEWRGNN can learn a model from limited sample data sets, and achieve quick and accurate insider threat detection performance. In addition, other feature ranking results allow providing security analysts with understandable insights for investigating the detected insider threats.