Research Article
Detecting Insider Threat from Behavioral Logs Based on Ensemble and Self-Supervised Learning
Table 4
The results of the competing experiment and ablation experiment for the proposed method on CERT4.2.
| | Method | DR (FPR = 0.05) | DR (FPR = 0.1) | DR (FPR = 0.5) | AUC (%) |
| | Vanilla1 + LSTM-Diag [2] | 91.7% (93.3%) | 92.5% (91.2%) | 94.5% (65.4%) | 93.3 | | Vanilla1 + DNN-Diag [2] | 92.1% (93.5%) | 92.7% (91.3%) | 94.4% (65.4%) | 93.6 | | Vanilla2 + LSTM-CNN [3] | 92.9% (93.9%) | 93.8% (91.9%) | 95.7% (65.7%) | 94.5 | | TF-IDF + OB + SS (ours) | 97.9% (96.4%) | 98.5% (94.1%) | 98.9% (66.4%) | 99.2 |
| | Vanilla1 + LR | 85.8% (90.2%) | 86.9% (88.4%) | 92.1% (64.8%) | 87.6 | | TF-IDF (+LSTM) | 88.1% (91.4%) | 89.5% (89.7%) | 93.5% (68.0%) | 89.9 | | TF-IDF + SS | 89.4% (92.1%) | 91.1% (90.5%) | 92.6% (64.9%) | 91.9 | | TF-IDF + Bagging | 93.8% (94.4%) | 94.5% (92.2%) | 95.9% (65.7%) | 95.4 | | TF-IDF + Bagging + SS | 95.1% (95.0%) | 95.8% (92.8%) | 96.2% (65.8%) | 97.1 | | TF-IDF + OB + SS (ours) | 97.9% (96.4%) | 98.5% (94.1%) | 98.9% (66.4%) | 99.2 |
|
|
SS: self-supervised; OB: Over-Bootstrap. The values within parentheses are F1 values corresponding to DR and specific FPR.
|
