Machine Learning Approach Based on Synthetic Minority Over-Sampling Technique and Isolation Forest for Insider Threat Detection

Abstract

Detecting insider threats is challenging due to insiders' deep familiarity with networks and security protocols, allowing them to bypass traditional security measures. While various methods combat insider threats, creating effective detection systems remains difficult. Research advocates using Machine Learning (ML) techniques, but handling imbalanced datasets reduces accuracy. To tackle this, this paper presents "SMOTE-IForest," merging SMOTE and IForest for insider threat detection. Testing on the CERT r6.2 dataset achieved 80.0% accuracy in detecting user behaviour. Additionally, it reached a 63.4% detection rate with a 67.0% false positive rate, boasting a high AUC of 96.0%, 93.30% precision, and 88.80% f-measure. This model addresses accuracy, detection, and false positive rate issues. SMOTE improves dataset balance by creating synthetic samples from the minority class, enhancing classification accuracy. IForest isolates anomalies, efficiently handling high-dimensional data without complex tuning, ideal for insider threat detection. The "SMOTE-IForest" model significantly strengthens insider threat detection systems by overcoming dataset imbalance and enhancing accuracy. Its precision and f-measure distinguish between normal and anomalous behaviour, aiding in addressing setbacks associated with existing studies' accuracy, detection, and false positive rates.