Key points are not available for this paper at this time.
Most organizations these days are increasingly threatened by malicious insiders. The traditional cybersecurity system uses historical logs to investigate/prevent attacks from outside a company. However, for insider threats, new models and techniques are required to differentiate normal behaviour from malicious acts. This paper proposes a system, called Insider Catcher, that bases on a deep neural network with Long Short-Term Memory (LSTM) to model system logs as a natural structured sequence. Our system captures patterns that indicate users' normal usage behaviour to differentiate normal behaviour from malicious acts. Experiments show the superior performance of the proposed system over the existing log-based anomaly detection strategies. This is particularly for real-time online cases.
Lu et al. (Mon,) studied this question.