Peer Group Metadata-Informed LSTM Ensembles for Insider Threat Detection

The problem of detecting insider threats i.e.\ authorized individuals who pose a threat to an organization is challenging. Since insiders have authorized access to and use sensitive data and systems on a day-to-day basis, the difference between an attack and benign normal behavior is small. We propose a method to address these issues by leveraging peer group metadata to build more robust models of normal behavior and investigate how to make use of multiple of these models and aggregate the results. Our experiments show that the use of peer group metadata improves performance over individual models trained using either hand-crafted features or event sequences.