Abstract

Nowadays, insider threats represent a significant concern for government and business organizations alike. Over the last couple of years, the number of insider threat incidents increased by 47%, while the associated cost increased by 31%. In 2019, Desjardins, a Canadian bank, was a victim of a data breach caused by a malicious insider who exfiltrated confidential data of 4.2 million clients. During the same year, Capital One was also a victim of a data breach caused by an insider who stole the data of approximately 140 thousand credit cards. Thus, there is a pressing need for highly-effective and fully-automatic insider threat detection techniques to counter these rapidly increasing threats. Also, after detecting an insider threat security event, it is essential to get the full details on the entities causing it and to gain relevant insights into how to mitigate and prevent such events in the
future. In this thesis, we propose an elaborated insider threat detection system leveraging user profiling and cyber-persona identification. We design and implement the system as a framework that employs a combination of supervised and unsupervised machine learning and deep learning techniques, which allow modelling the normal behaviour of the insiders passively by analyzing their network traffic. We can deploy the framework as part of online traffic monitoring solutions for insider profiling and cyber-persona identification as well as for detecting anomalous network behaviours. The different models employed are assessed
using specific metrics such as Accuracy, F1 score, Recall and Precision. The conducted experimental evaluation indicates that the proposed framework is efficient, scalable, and suitable for near-real-time deployment scenarios.