Insider Threat detection using Isolation Forest

Abstract: In contrast to the need for companies to get real time information about insider threats, there is a privacy and integrity based limitation of what the individual accepts as acceptable surveillance. This creates a problem since performing online surveillance would pose an infringement on the employees privacy and integrity. Therefore we present a model using Isolation Forest to solve this problem. We focus on analyzing the non-intrusive features in a real time, event based approach. We process our features using periodic features, which we have sta- tistically proven to be more effective than periodic features used with Isolation Forest. Our results show that by analyzing employees login and logout times, we can detect 76% of all insider threats while only falsely classify 7% of all nor- mal instances. The recall rate, which shows how complete the results are, is 76%.