Graph-based insider threat detection: A survey

Insider threat detection has been a significant topic in recent years. However, as network technology develops, the intranet becomes more complex. Therefore, simply matching attack patterns or using traditional machine learning methods (Logistic Regression, Gaussian-NB, Random Forest, etc.) does not work well. On the other hand, the graph structure can better adapt to intranet data, thus graph-based insider threat detection methods have become mainstream. In order to study the design and effectiveness of graph-based insider threat detection, in this paper, we conduct a systematic and comprehensive survey of existing related research. Specifically, we provide a framework and a taxonomy based on the detection process, classifying existing work from three aspects: data collection, graph construction, and graph anomaly detection. We conduct a quantitative analysis of existing representative graph methods and find that the models with more information have better performance. In particular, we discuss the scalability of existing methods to large-scale networks and their feasibility in real environments. Based on the survey results, we propose 7 pain points in this field and provide specific future research directions. Our survey will provide future researchers with a complete solution.