Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 32451
Design of an Ensemble Learning Behavior Anomaly Detection Framework

Authors: Abdoulaye Diop, Nahid Emad, Thierry Winter, Mohamed Hilia


Data assets protection is a crucial issue in the cybersecurity field. Companies use logical access control tools to vault their information assets and protect them against external threats, but they lack solutions to counter insider threats. Nowadays, insider threats are the most significant concern of security analysts. They are mainly individuals with legitimate access to companies information systems, which use their rights with malicious intents. In several fields, behavior anomaly detection is the method used by cyber specialists to counter the threats of user malicious activities effectively. In this paper, we present the step toward the construction of a user and entity behavior analysis framework by proposing a behavior anomaly detection model. This model combines machine learning classification techniques and graph-based methods, relying on linear algebra and parallel computing techniques. We show the utility of an ensemble learning approach in this context. We present some detection methods tests results on an representative access control dataset. The use of some explored classifiers gives results up to 99% of accuracy.

Keywords: Cybersecurity, data protection, access control, insider threat, user behavior analysis, ensemble learning, high performance computing.

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 998


1] IBM-Security, IBM 2015 Cybersecurity Intelligence Index, Managed Security services, cyber-security-intelligence-index-2015/, 2016.
[2] P. Bradford and J. Lui, Applying role based access control and genetic algorithm to insider threat detection, 44th annual Southeast regional conference, pp 1–7, 2016.
[3] J. Peng, K. R. Choo and H. Ashman, User profiling in intrusion detection: A Review, Journal of Network and Computer Applications, vol. 72, pp 14–27, 2016.
[4] A. L. Buczak and E. Guven, A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection Systems, IEEE Communications surveys and Tutorials, vol. 18, no. 2, pp 1153–1178, 2016.
[5] P. Pallabi, N. Mcdaniel and Z. R. Weger, Evolving Insider Threat Detection Stream mining Perspective, International Journal on Artificial Intelligence Tools vol. 22, no. 5, 2013.
[6] P. Pallabi, Z. R. Weger, et al., Supervised Learning for Insider Threat Detection Using Stream mining, 23rd International Conference on Tools with Artificial Intelligence, 2011.
[7] D. Haidar, and M. M. Gaber, Adaptive One-Class Ensemble-based Anomaly Detection: An Application to Insider Threats, Internationnal Joint conference on Neural Networks(IJCNN), 2018.
[8] A. Gamachchi, L. Sun, and S. Boztas, A graph based framework for malicious insider threat detection, Hawai International conference on system sciences, (HICSS), 2017.
[9] Y. Chen, S. Nyemba, W. Zhang, and B. Malin, Specializing network analysis to detect anomalous insider actions, Security Informatics, vol. 1, no. 1, pp 5, 2012.
[10] I. Sun, S. Versteeg, S. Boztas, and A. Rao, Detecting Anomalous User Behavior Using an Extended Isolation Forest Algorithm: An Enterprise Case Study, In Computer Research Repository(CoRR), 2016.
[11] P. Moriano, J. Pendleton, S. Rich, and L. Jean Camp, Stopping the Insider at the Gates: Protecting Organizational Assets through Graph Mining, Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications, vol. 9, pp 4–29, 2018.
[12] Ponemon, 2018 Coast of Insider Threat Global organizations, Ponemon Insitute Research report, ponemon-report-cost-of-insider-threats/. Last accessed 4, 2018.
[13] A. Chuvakin and A. Barros, A Comparison of UEBA Technologies and Solution, Gartner Technical Professional Advice, pp 1–45, https://www., 2017.
[14] S. Gopalakrishnan, Data Science & Machine Learning in Cybersecurity, In: AT&T Business, vol. 3, pp 1–15, 2017.
[15] V. Kumar, P-N. Tan, M. Steinbach and A. Karpatne, Introduction to data mining 2nd edition,∼kumar001/dmbook/ index.php, 2018.
[16] S. Hung, Introduction to collaborative filtering Part1, in,, 2018.
[17] J. M. Kleinberg, Authoritative Sources in a Hyperlinked Environment, Journal of the ACM”, vol. 46, pp 604–632, 1999.
[18] L. Page and S. Brin, Anatomy of a Large-Scale Hypertextual Web Search Engine, Proceedings of the seventh international conference on World Wide Web(WWW) 7”, vol. 46, pp 107–117, 1999.
[19] A. Ravanshad, Gradient boosting versus random forest, gradient-boosting-versus-random-forest-cfa3fa8f0d80, 2018.
[20] A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols and S. Robinson, Deep learning for unsupervised insider threat detection in structured cybersecurity data streams, AAAI Conference on Artificial Intelligence, 2017.
[21] F. Yuan, Y. Cao, Y. Shang, Y. Liu, J. Tan and B. Fang, Insider Threat Detection with Deep Neural Network. International conference on Computationnal Science (1), pp 43–54, 2018.
[22] E. Lewinson, Outlier Detection with Isolation Forest, outlier-detection-with-isolation-forest-3d190448d45e, 2018.
[23] L. Akoglu, M. McGlohon, and C. Faloutsos, Oddball, Spotting anomalies in weighted graphs, Pacific-Asia Conference on Knowledge Discovery and Data Mining (PAKDD), vol. 46, pp 1–12, 2010.
[24] P. P. Talukar and K. Cramer, New Regularized Algorithms for Transductive Learning, Proceedings of the European Conference on Machine Learning and Knowledge Discovery in Databases, Part II, vol. 5782, pp 442–457, 2009.
[25] W. Eberle, and L. Holder, Insider Threats Detection Using Graph-Base approaches, Cyber security Application & technologies Conference for homeland security, vol. 5782, pp 1–5, 2009.