Abstract
Insider threats constitute a major problem for many organizations. Traditional security mechanisms, such as intrusion detection systems and firewalls, do not represent optimal solutions for insider threat detection and prevention. That is because insider threats are generally performed by people that are already trusted, and who possess access to, and knowledge of, important organizational assets. In this thesis, we explore three possible approaches to applying machine learning to classify insider threat behaviors; supervised-, unsupervised-, and reinforcement learning. We describe the development of an unsupervised machine learning system that aims to detect malicious insider threat activity by analyzing data from different technical sources. The system was developed to be simple and easy to assemble. By utilizing existing machine learning algorithms we tested the performance of this system. The results showed that the system was able to detect malicious insider activity with a weak to moderate positive relationship in the training phase, and a negligent positive relationship in the testing phase. The results suggest that we cannot solely rely on this machine learning system for the detection of insider threats with the system in its current state. We conclude from these preliminary explorations that machine learning shows some promise as a measure for insider threat detection if used in adjunct to manual forensics work. To improve the performance of the current system, it seems necessary to include more substance to the selected features, such as the name of files, subject and header of e-mail, what type of websites are visited. In addition, the physical security and cybersecurity aspects, as well as psychological, and organizational factors should be addressed when considering the insider threat. Future research should focus on acquiring real datasets, aggregation of insider threat scenarios and use cases, and testing different machine learning approaches both from technical and non-technical sources.