Visible to the public Personalized User Profiles-based Insider Threat Detection for Distributed File System

TitlePersonalized User Profiles-based Insider Threat Detection for Distributed File System
Publication TypeConference Paper
Year of Publication2022
AuthorsXin, Wu, Shen, Qingni, Feng, Ke, Xia, Yutang, Wu, Zhonghai, Lin, Zhenghao
Conference Name2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)
Date Publisheddec
KeywordsAuthorization, Clustering algorithms, Collaboration, Data security, distributed file system, Estimation, false trust, File systems, HDFS, Industries, Insider Threat Detection, machine learning, Measurement, policy-based governance, pubcrawl, resilience, Resiliency, Scalability, User profile
AbstractIn recent years, data security incidents caused by insider threats in distributed file systems have attracted the attention of academia and industry. The most common way to detect insider threats is based on user profiles. Through analysis, we realize that based on existing user profiles are not efficient enough, and there are many false positives when a stable user profile has not yet been formed. In this work, we propose personalized user profiles and design an insider threat detection framework, which can intelligently detect insider threats for securing distributed file systems in real-time. To generate personalized user profiles, we come up with a time window-based clustering algorithm and a weighted kernel density estimation algorithm. Compared with non-personalized user profiles, both the Recall and Precision of insider threat detection based on personalized user profiles have been improved, resulting in their harmonic mean F1 increased to 96.52%. Meanwhile, to reduce the false positives of insider threat detection, we put forward operation recommendations based on user similarity to predict new operations that users will produce in the future, which can reduce the false positive rate (FPR). The FPR is reduced to 1.54% and the false positive identification rate (FPIR) is as high as 92.62%. Furthermore, to mitigate the risks caused by inaccurate authorization for users, we present user tags based on operation content and permission. The experimental results show that our proposed framework can detect insider threats more effectively and precisely, with lower FPR and high FPIR.
DOI10.1109/TrustCom56396.2022.00204
Citation Keyxin_personalized_2022