Deep Temporal Graph Infomax for Imbalanced Insider Threat Detection

ABSTRACTInsider threats pose a significant concern for critical information infrastructures. Graph neural networks are widely used for detection due to their ability to model complex relationships among network entities. However, deep learning algorithms struggle with learning from business system data as anomalies are extremely rare. To tackle this challenge, we propose deep temporal graph infomax (DTGI), a new method for detecting insider threats in real-world scenarios with highly imbalanced data. DTGI utilizes an extended continuous-time dynamic heterogeneous graph network and a behavior context constraint anomaly sample generator. This generator incorporates attack behavior context constraints to augment attack samples and enhance the performance of the supervised model. Extensive experiments conducted on the CERT dataset, consisting of over one million records, demonstrate that DTGI surpasses state-of-the-art methods in terms of detection performance.KEYWORDS: Insider threatanomaly detectiondynamic graphgraph neural networkgraph contrastive learning Disclosure statementNo potential conflict of interest was reported by the author(s).Additional informationFundingThis work is supported by the State Grid Science and Technology Project [Project No.5108-202224046A-1-1-ZN].