Insider threat detection based on user behavior modeling and anomaly detection algorithms

Junhong Kim, Minsik Park, Haedong Kim, Suhyoun Cho, Pilsung Kang

Research output: Contribution to journalArticlepeer-review

50 Citations (Scopus)


Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization's system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user's daily activity summary, e-mail contents topic distribution, and user's weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts' knowledge is provided.

Original languageEnglish
Article number4018
JournalApplied Sciences (Switzerland)
Issue number19
Publication statusPublished - 2019 Oct 1

Bibliographical note

Funding Information:
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. NRF-2019R1F1A1060338) and Korea Electric Power Corporation (Grant number: R18XA05).

Publisher Copyright:
© 2019 by the authors.


  • Anomaly detection
  • Behavioral model
  • E-mail network
  • Insider threat detection
  • Latent dirichlet allocation
  • Machine learning

ASJC Scopus subject areas

  • General Materials Science
  • Instrumentation
  • General Engineering
  • Process Chemistry and Technology
  • Computer Science Applications
  • Fluid Flow and Transfer Processes


Dive into the research topics of 'Insider threat detection based on user behavior modeling and anomaly detection algorithms'. Together they form a unique fingerprint.

Cite this