XABA: A Zero-Knowledge Anomaly-Based Behavioral Analysis Method to Detect Insider Threats

Insider threat is a significant security risk for organizations and hard to detect. Most introduced detection methods need contextual data entries about users, or preprocessed user activity logs to detect insider threats which it is costly and time-consuming. In this paper, we introduce a behavior analysis method that learns its context and detects multiple types of insider threats from raw logs and network traffic in real-time. This method, named XABA, learns user roles and exclusive behaviors, through analyzing raw logs related to each network session of the user. Then it checks for some abnormal patterns, and if so, triggers the appropriate alert. XABA is implemented on the big-stream platform to operate on high rates of network sessions. To evaluate XABA, a real traitor scenario is designed and detected with low false positive. XABA can detect diverse types of scenarios in many contexts without any predefined information or preprocessed activity logs.