Abstract

Insider threats are a growing concern for organizations, and existing methods have fallen short in their ability to detect these threats effectively. One significant constraint of current techniques is their inability to discern between the conduct of malicious users and that of their counterparts in identical job roles. But these methods did not use features that show how different a user's behavior is from that of their peers in the same job role. This study aims to detect insider threats by analyzing the user and roles that may involve in malicious activity. Malicious users can be identified by extracting different features that describe their activities and how they differ from those of their peers. The Isolation Forest Algorithm is an unsupervised method that compares each user's variance across many attributes with those of their peers in order to identify abnormalities. The performance of the proposed approach is thoroughly evaluated through a series of experiments conducted. The results of the comparison between the proposed method and a current state-of-the-art technique confirm's that the proposed detection method is more reliable.