Existing defense tools against the insider attacks are rare, not in real time fashion and suffer from low detection accuracy as the attacks become more sophisticated. Thus, a detection tool with online learning ability and better accuracy is required urgently. This study proposes an insider attack detection model by leveraging entity behavior analysis technique based on a memory prediction model combined with the recursive feature elimination (RFE) feature selection algorithm. The memory-prediction model provides ability to perform online learning, while the RFE algorithm is deployed to reduce data dimensionality. Dataset for the experiment was created from a real network with 150 active users, and mixed with attacks data from publicly available dataset. The dataset is simulated on a testbed network environment consisting of a server configured to run 4 virtual servers and other two computers as traffic generator and detection tool. The experimental results show 94.01% of detection accuracy, 95.64% of precision, 99.28% of sensitivity, and 96.08% of F1-score. The proposed model is able to perform on-the-fly learning to address evolving nature of the attacks. Combining memory prediction models with the RFE for user behavior analysis is a promising approach, and achieving high accuracy is definitely a positive outcome.

Entity behavior analysis; Insider attack; Memory prediction model; Real time detection; Recursive feature elimination