Double-Layer Detection of Internal Threat in Enterprise Systems Based on Deep Learning

Daojing He; Xin Lv; Xueqian Xu; Sammy Chan; Kim-Kwang Raymond Choo

doi:10.1109/TIFS.2024.3372771

Double-Layer Detection of Internal Threat in Enterprise Systems Based on Deep Learning

Daojing He^*, Xin Lv, Xueqian Xu, Sammy Chan, Kim-Kwang Raymond Choo

^*Corresponding author for this work

Department of Electrical Engineering

Research output: Journal Publications and Reviews › RGC 21 - Publication in refereed journal › peer-review

12 Citations (Scopus)

Abstract

In recent years, phishing email-mediated attacks are proliferating. When victims are enterprise employees, internal security of the enterprise systems will also be threatened. Currently, blockchain technology can effectively improve the security and privacy of traditional email, but attacks initiated from within are still fatal. Therefore, we propose a double-layer detection framework in this paper. Firstly, from the perspective of individual security, Long Short-Term Memory (LSTM) and extreme gradient boosting tree (XGBoost) are used to build a phishing email detection model. The model generalization ability and precision rate are improved by adding a custom loss function in the training process. Then, from the perspective of group security, Bidirectional LSTM and Attention mechanism are used to build an insider threat detection model. Our model has better results for multi-domain time series and anomaly detection in comparison to different models and existing insider threat detection models. We test the effectiveness of the proposed framework through real phishing email cases and insider threat attack events on our simulation verification platform. The experimental results demonstrate that our proposed framework can protect enterprise systems from phishing attacks and insider threats. We also point out that this framework can be applied to mitigate the increasingly serious blockchain security threats. © 2024 IEEE.

Original language	English
Pages (from-to)	4741-4751
Journal	IEEE Transactions on Information Forensics and Security
Volume	19
Online published	4 Mar 2024
DOIs	https://doi.org/10.1109/TIFS.2024.3372771
Publication status	Published - 2024

Funding

This work was supported in part by the National Key Research and Development Program of China under Grant 2021YFB2700900; in part by the National Natural Science Foundation of China under Grant 62376074; in part by Shenzhen Science and Technology Program under Grant KCXST20221021111404010, Grant JSGG20220831103400002, Grant JSGGKQTD20221101115655027, Grant KJZD20230923114405011, and Grant KCXFZ20230731093001002; in part by the Fok Ying Tung Education Foundation of China under Grant 171058; and in part by the Grant from the University Grants Committee of the Hong Kong Special Administrative Region, China, under Project CityU 11201421.

Research Keywords

deep learning
double-layer detection
insider threat
Phishing attack
simulation verification

RGC Funding Information

RGC-funded

Access Output

10.1109/TIFS.2024.3372771

Other Access Options

Check CityUHK Library

Permanent Link

Right click to copy link

Cite this

@article{10a4cd6ad8c44b739d4d6a31e288c3e6,

title = "Double-Layer Detection of Internal Threat in Enterprise Systems Based on Deep Learning",

abstract = "In recent years, phishing email-mediated attacks are proliferating. When victims are enterprise employees, internal security of the enterprise systems will also be threatened. Currently, blockchain technology can effectively improve the security and privacy of traditional email, but attacks initiated from within are still fatal. Therefore, we propose a double-layer detection framework in this paper. Firstly, from the perspective of individual security, Long Short-Term Memory (LSTM) and extreme gradient boosting tree (XGBoost) are used to build a phishing email detection model. The model generalization ability and precision rate are improved by adding a custom loss function in the training process. Then, from the perspective of group security, Bidirectional LSTM and Attention mechanism are used to build an insider threat detection model. Our model has better results for multi-domain time series and anomaly detection in comparison to different models and existing insider threat detection models. We test the effectiveness of the proposed framework through real phishing email cases and insider threat attack events on our simulation verification platform. The experimental results demonstrate that our proposed framework can protect enterprise systems from phishing attacks and insider threats. We also point out that this framework can be applied to mitigate the increasingly serious blockchain security threats. {\textcopyright} 2024 IEEE.",

keywords = "deep learning, double-layer detection, insider threat, Phishing attack, simulation verification",

author = "Daojing He and Xin Lv and Xueqian Xu and Sammy Chan and Choo, {Kim-Kwang Raymond}",

year = "2024",

doi = "10.1109/TIFS.2024.3372771",

language = "English",

volume = "19",

pages = "4741--4751",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "IEEE",

}

TY - JOUR

T1 - Double-Layer Detection of Internal Threat in Enterprise Systems Based on Deep Learning

AU - He, Daojing

AU - Lv, Xin

AU - Xu, Xueqian

AU - Chan, Sammy

AU - Choo, Kim-Kwang Raymond

PY - 2024

Y1 - 2024

N2 - In recent years, phishing email-mediated attacks are proliferating. When victims are enterprise employees, internal security of the enterprise systems will also be threatened. Currently, blockchain technology can effectively improve the security and privacy of traditional email, but attacks initiated from within are still fatal. Therefore, we propose a double-layer detection framework in this paper. Firstly, from the perspective of individual security, Long Short-Term Memory (LSTM) and extreme gradient boosting tree (XGBoost) are used to build a phishing email detection model. The model generalization ability and precision rate are improved by adding a custom loss function in the training process. Then, from the perspective of group security, Bidirectional LSTM and Attention mechanism are used to build an insider threat detection model. Our model has better results for multi-domain time series and anomaly detection in comparison to different models and existing insider threat detection models. We test the effectiveness of the proposed framework through real phishing email cases and insider threat attack events on our simulation verification platform. The experimental results demonstrate that our proposed framework can protect enterprise systems from phishing attacks and insider threats. We also point out that this framework can be applied to mitigate the increasingly serious blockchain security threats. © 2024 IEEE.

AB - In recent years, phishing email-mediated attacks are proliferating. When victims are enterprise employees, internal security of the enterprise systems will also be threatened. Currently, blockchain technology can effectively improve the security and privacy of traditional email, but attacks initiated from within are still fatal. Therefore, we propose a double-layer detection framework in this paper. Firstly, from the perspective of individual security, Long Short-Term Memory (LSTM) and extreme gradient boosting tree (XGBoost) are used to build a phishing email detection model. The model generalization ability and precision rate are improved by adding a custom loss function in the training process. Then, from the perspective of group security, Bidirectional LSTM and Attention mechanism are used to build an insider threat detection model. Our model has better results for multi-domain time series and anomaly detection in comparison to different models and existing insider threat detection models. We test the effectiveness of the proposed framework through real phishing email cases and insider threat attack events on our simulation verification platform. The experimental results demonstrate that our proposed framework can protect enterprise systems from phishing attacks and insider threats. We also point out that this framework can be applied to mitigate the increasingly serious blockchain security threats. © 2024 IEEE.

KW - deep learning

KW - double-layer detection

KW - insider threat

KW - Phishing attack

KW - simulation verification

UR - http://www.scopus.com/inward/record.url?scp=85187388933&partnerID=8YFLogxK

UR - https://www.scopus.com/record/pubmetrics.uri?eid=2-s2.0-85187388933&origin=recordpage

U2 - 10.1109/TIFS.2024.3372771

DO - 10.1109/TIFS.2024.3372771

M3 - RGC 21 - Publication in refereed journal

SN - 1556-6013

VL - 19

SP - 4741

EP - 4751

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

ER -

Double-Layer Detection of Internal Threat in Enterprise Systems Based on Deep Learning

Abstract

Funding

Research Keywords

RGC Funding Information

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

GRF: Massive Access over an OFDM Platform

Cite this

Double-Layer Detection of Internal Threat in Enterprise Systems Based on Deep Learning

Abstract

Funding

Research Keywords

RGC Funding Information

Access Output

Other Access Options

Permanent Link

Other Files and Links

Fingerprint

Projects

GRF: Massive Access over an OFDM Platform

Cite this