Insider Threat Detection via Hierarchical Neural Temporal Point Processes

TLDR

Insider attacks cause significant organizational losses and are difficult to detect; existing methods analyze audit logs but mainly model activity types, neglecting temporal information. This study proposes a hierarchical neural temporal point process model that integrates temporal point processes with recurrent neural networks for insider threat detection. The model employs a two‑level architecture that captures nonlinear dependencies across activity times, types, session durations, and intervals. Experiments on two datasets show the model outperforms approaches that use only activity types or only time information.

Abstract

Insiders usually cause significant losses to organizations and are hard to detect. Currently, various approaches have been proposed to achieve insider threat detection based on analyzing the audit data that record information of the employee’s activity type and time. However, the existing approaches usually focus on modeling the users’ activity types but do not consider the activity time information. In this paper, we propose a hierarchical neural temporal point process model by combining the temporal point processes and recurrent neural networks for insider threat detection. Our model is capable of capturing a general nonlinear dependency over the history of all activities by the two-level structure that effectively models activity times, activity types, session durations, and session intervals information. Experimental results on two datasets demonstrate that our model outperforms the models that only consider information of the activity types or time alone.

References

Page 1

	Year	Citations

Page 1