Zero-Day Insider Threat Detection via Attention-Based Neural Networks on Synthetic Access Logs

Insider threats especially zero-day threats by privileged users are hard to defend in cybersecurity because it is hard to adjust attack rules for them, the lack of signature is not disturbing and it is kind of a rare data to be marked. Current detection methods, such as rule-based systems, statistical anomaly detection, and supervised learning, struggle to detect new insider behaviors, especially closeness to genuine activities. In addition, lack of access to real insider threat data poses a challenge in the development of accurate models because of privacy and confidentiality issues. In order to tackle these challenges, we propose a hybrid solution that leverages the generation of synthetic data through GANbased models (i.e., CTGAN, TVAE, and CopulaGAN) complemented by an attentionbased GRU (Gated Recurrent Unit) neural network. GANs are utilized to enrich the training data set by synthesizing realistic malicious and benign activity logs to emulate zero-day insider behaviors. The GRU model's use of attention fosters interpretability so that network can pay attention to user actions that are contextually relevant in an activity session. The experiments over the CERT Insider Threat Dataset v6. 2 show that our approach substantially outperforms the detection ability to reach F1-score of 0.89 and Zero-Day Detection AUC of 0.92. Additionally, the model also generalizes well to new user roles, demonstrating its ability to recognize intricate and stealthy insider behaviors.