Insider Threat Detection Based On Heterogeneous Graph Neural Network

As one of the most challenging threats in cyberspace, insider threats frequently lead to substantial losses for enterprises. Recently, there are many studies focus on user behavior analysis for insider threats detection. However, they ignore the underlying causes of insider threats and the implicit relationships between users, which is more critical for discover the insider threats. To address this gap, we propose the novel ITDE model in this paper, which applies a graph neural network approach based on two-layer attention. The core idea is to abstracting user features and potential relationships as heterogeneous graphs based on an analysis of user behavior and the causes of insider threats. Futhermore, we employ node-level attention and semantic-level attention to capture the complex graph structure information and generate node embedding by aggregating features from meta-path based neighbors. Finally, we use a cross-entropy loss function to implement insider threat detection. We verify the effectiveness of our model on the CERT r4.2 dataset and it outperforms state-of-the-art methods in insider threat detection.