HONEYTOKEN-AUGMENTED AI MODEL FOR INSIDER THREAT DETECTION USING CYBER DECEPTION AND ISOLATION FOREST

Dr. Ajab Khan; Usman  Imtiaz; Fahad Amin, Member, IEEE

doi:10.71146/kjmr625

Authors

Dr. Ajab Khan University of Science and Technology, Abbottabad, Pakistan. Author
Usman Imtiaz Washington University of Science and Technology (WUST), Department of Computer Science-Cyber security, Virginia, USA Author
Fahad Amin, Member, IEEE North American University, Department of Computer Science-Cyber security, Houston, TX, USA Author

DOI:

https://doi.org/10.71146/kjmr625

Keywords:

Artificial Intelligence, Cyber Security, Insider Threat, Honeytoken, Cyber Deception, Isolation Forest, Machine Learning, Anomaly Detection, Risk Scoring

Abstract

It is quite hard to detect insider threats as malevolent users may use legitimate credentials and authorized access. Rule-based cyber security systems do not work on insider threats since abnormal behavior does not transgress a predefined rule. AI can do a better job by understanding user's normal behavior and distinguishing anomaly behavior. We proposed Honeytoken-Augmented Deception Isolation Forest model named HAD-IF for the detection of insider threats. It combines behavioral anomaly detection and honeytoken based cyber deception. The anomaly detection model, Isolation Forest, identifies the anomaly based on following parameters of user's activity; (1) Login Time, (2) Amount of file accessed, (3) Number of unsuccessful login attempt, (4) Access to critical files, (5) Amount of data downloaded, and honeytoken based cyber deception. Honeytoken is an attractive digital bait that generates severe alert when interacted by malicious users. A Python implementation of HAD-IF on synthetic user activity logs is developed. Experiments result in terms of Accuracy, Precision, Recall and F1-score are 97.00%, 86.96%, 100.00% and 93.02% on the simulation dataset respectively. The results indicate that the combination of AI-based anomaly detection and cyber deception technology improves early insider threats detection.

Downloads

Download data is not yet available.

References

[1] C. Pascoe, S. Quinn, and K. Scarfone, “The NIST Cybersecurity Framework (CSF) 2.0,” National Institute of Standards and Technology, NIST CSWP 29, 2024, doi: 10.6028/NIST.CSWP.29.

[2] National Institute of Standards and Technology, “Insider Threat,” NIST Computer Security Resource Center Glossary, 2024.

[3] Cybersecurity and Infrastructure Security Agency, “Insider Threats 101 Fact Sheet,” CISA, 2024.

[4] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detection: A Survey,” ACM Computing Surveys, vol. 41, no. 3, pp. 1–58, 2009, doi: 10.1145/1541880.1541882.

[5] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation Forest,” in Proc. 8th IEEE International Conference on Data Mining, 2008, pp. 413–422, doi: 10.1109/ICDM.2008.17.

[6] L. Spitzner, “Honeypots: Catching the Insider Threat,” in Proc. 19th Annual Computer Security Applications Conference, 2003, pp. 170–179, doi: 10.1109/CSAC.2003.1254322.

[7] MITRE, “MITRE Engage: An Adversary Engagement Framework,” The MITRE Corporation, 2024.

[8] E. Tabassi, “Artificial Intelligence Risk Management Framework (AI RMF 1.0),” National Institute of Standards and Technology, NIST AI 100-1, 2023, doi: 10.6028/NIST.AI.100-1.

[9] A. L. Buczak and E. Guven, “A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection,” IEEE Communications Surveys & Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016, doi: 10.1109/COMST.2015.2494502.

[10] National Institute of Standards and Technology, “Insider Threat,” NIST Computer Security Resource Center Glossary, 2024.

[11] Cybersecurity and Infrastructure Security Agency, “Insider Threat Mitigation Guide,” CISA, 2020.

[12] Software Engineering Institute, “Common Sense Guide to Mitigating Insider Threats, Seventh Edition,” Carnegie Mellon University, 2022.

[13] V. Chandola, A. Banerjee, and V. Kumar, “Anomaly Detection: A Survey,” ACM Computing Surveys, vol. 41, no. 3, pp. 1–58, 2009, doi: 10.1145/1541880.1541882.

[14] F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation Forest,” in Proc. 8th IEEE International Conference on Data Mining, 2008, pp. 413–422, doi: 10.1109/ICDM.2008.17.

[15] MITRE, “MITRE Engage: An Adversary Engagement Framework,” The MITRE Corporation, 2024.

[16] L. Spitzner, “Honeypots: Catching the Insider Threat,” in Proc. 19th Annual Computer Security Applications Conference, 2003, pp. 170–179, doi: 10.1109/CSAC.2003.1254322.

[17] B. M. Bowen, S. Hershkop, A. D. Keromytis, and S. J. Stolfo, “Baiting Inside Attackers Using Decoy Documents,” in Security and Privacy in Communication Networks, SecureComm 2009, pp. 51–70, doi: 10.1007/978-3-642-05284-2_4.

[18] Cybersecurity and Infrastructure Security Agency, “Roadmap for Artificial Intelligence,” CISA, 2023.

[19] J. Kim, M. Park, H. Kim, S. Cho, and P. Kang, “Insider Threat Detection Based on User Behavior Modeling and Anomaly Detection Algorithms,” Applied Sciences, vol. 9, no. 19, Art. no. 4018, 2019, doi: 10.3390/app9194018.

[20] M. Akiyama, T. Hariu, T. Yagi, and Y. Kadobayashi, “HoneyCirculator: Distributing Credential Honeytoken for Introspection of Web-Based Attack Cycle,” International Journal of Information Security, vol. 17, pp. 621–634, 2018, doi: 10.1007/s10207-017-0361-5.

[21] N. Prabhaker, G. S. Bopche, and M. Arock, “Generation and Deployment of Honeytokens in Relational Databases for Cyber Deception,” Computers & Security, vol. 146, Art. no. 104032, 2024, doi: 10.1016/j.cose.2024.104032.