Historically, the harm caused by insiders has proven to be one of the greatest concerns for any organization. As such, it has received considerable attention from both the industrial and research communities. Existing works mainly focused on modeling the employees’ normal biometric behavior (e.g., human to device interaction pattern) to detect anomalous behavior which corresponds to the insider activity. However, it is unattainable to stop the insider at the final moment when the malicious act is being carried out. In this paper, we propose a novel framework which performs employee profiling based on aspect-based sentiments and social network information and examine its applicability for early detection of potential insider threats. On the contrary to the traditional sentiment analysis, aspect-based sentiment analysis provides more fine-grained information on the employee. Our framework employs a combination of deep learning techniques such as Gated Recurrent Unit (GRU) and skipgram to build temporal sentiment profiles for the employees. It then performs anomaly detection on the profiles and ranks the employees based on their respective anomaly score. Due to the absence of relevant benchmark dataset, we augmented the publicly available real-world Enron email corpus with an insider threat scenario to evaluate our framework. The evaluation results demonstrate that the augmentation is indeed reflected in the augmented employee’s anomaly ranking (i.e., from normal to abnormal) and her close associates are indeed placed closely to her when the profiles are visualized in the 2D space. The profiles obtained from our framework can also be used to complement any existing expert and intelligent systems with additional capabilities in handling textual information such as, integration with profiles obtained from biometric behavior to form a more comprehensive threat detection system.

Introduction

Today, insider threat has become one of the major concerns for organizations. Insiders are people with authorized access to sensitive information in an organization. The trust afforded to employees, while necessary for them to perform their tasks, exposes the organization to a wide range of insider attacks. It was reported that the damage an insider could have dealt to an organization is far worse compared to outsider attacks and could cost as much as $26.5 million1. Despite the extensive effort from both the industrial and research communities to combat the threats, there is a rising trend in all variations of insider threats2. In particular, the cases of sabotage insider attacks, such as the recent Tesla case,3 have increased by over 60% over the past two years (Ponemon, 2011). A large majority of the existing defense solutions focus on modeling the employees’ normal biometric behavior (e.g., mouse and keyboard usage) and/or network logs to detect anomalous behavior (Liu, De Vel, Han, Zhang, & Xiang, 2018). However, typical organization has a complex infrastructure and is comprised of a mix of people from different backgrounds, where each of them may have a different role in the organization. For these reasons, the insider threat problem is considerably more elusive than any other threats that the organization faces and cannot be addressed by technological means alone.