Embedding Learning with Heterogeneous Event Sequence for Insider Threat Detection

The insider threat is one of the most significant cyber security threats that an organisation can be subject to. The recent research on insider threat detection mostly focuses on finding out anomalousness or abnormal changes from a series of behaviors such as logon, file usage and USB connection. Such behaviors can be described as time series set of different types of events, which we call heterogeneous event sequence. Due to the lack of intrinsic temporal relationship measures among events that contain multiple entities with categorical values, most existing work extracts action categorical values within the heterogeneous event to calculate abnormal scores for action sequences. Different from previous work, we synthetically consider multiple entities within the heterogeneous event and propose a principled and probabilistic model IPHE (Insider threat detection via Probabilistic pairwise interaction and Heterogeneous Event’s entity embedding) that models the likelihood of heterogeneous event sequence. The model embeds entities of heterogeneous events into a common latent space to preserve nonlinear relationships between heterogeneous temporal events. Then the likelihood of heterogeneous event sequence can be computed by the pairwise interactions of different entities of heterogeneous event according to entity embeddings. In particular, due to the imbalance of the occurrence rates of different types of events, we propose typewise learning rate for IPHE to adjust step size during model optimization procedure. Experiment results on the CMU-CERT insider threat dataset prove the effectiveness of our proposed approach over competitive baselines.