Towards an Explainable Approach for Insider Threat Detection: Constraint Network Learning

Insider threats are considered a major threat to information and communication technology (ICT) systems creating an important source of vulnerabilities from a security perspective. The technical knowledge that insiders have about the ICT systems, such as its IT infrastructure, the high load of data generated by other employees of the company which hides insiders' activities, their access rights as well as the confidentiality of the data of which they have access to, creates the perfect scenario for a powerful yet undetected attack. State of the art techniques and security operations center tools struggle to come up with effective solutions to recognise these threats. Therefore, in this paper, we propose a novel artificial intelligence based constraint learning technique to help their detection. The approach creates an optimized constraint network representing the nominal behaviour of an employee and detects threatening events when their associated costs are above a certain threshold. The threshold is learnt alongside with the constraint network model. The proposed approach is based on detection models able to provide human interpretable feedback regarding the detection performed. These information are crucial in helping system operators to understand why the detection has occurred and to help them acting promptly on the threat. The explanation comes directly from the structure of the detection model and relies on the identification of which constraints are being violated. The approach is tested on the CERT insider threat dataset v4.2 and the results obtained look promising, achieving at least the same accuracy as other state of the art techniques as well as providing the details regarding the broken constraints of the threat. A comparison with state of the art techniques applied on this dataset is also provided, showing the strength of our results.