Research Article
Detecting Insider Threat from Behavioral Logs Based on Ensemble and Self-Supervised Learning
Table 5
The results of the competing experiment and ablation experiment for the proposed method on CERT6.2.
| | Method | DR (FPR = 0.05) | DR (FPR = 0.1) | DR (FPR = 0.5) | AUC (%) |
| | Vanilla1 + LSTM-Diag[2] | 84.7% (89.6%) | 86.1% (88.0%) | 88.3% (63.8%) | 90.4 | | Vanilla1 + DNN-Diag[2] | 84.5% (89.4%) | 86.4% (88.2%) | 88.5% (63.9%) | 90.8 | | Vanilla2 + LSTM-CNN[3] | 88.2% (91.5%) | 89.9% (89.9%) | 90.7% (64.5%) | 92.7 | | TF-IDF + OB + SS (ours) | 92.4% (93.7%) | 93.7% (91.8%) | 94.8% (65.5%) | 95.3 |
| | Vanilla1 + LR | 79.4% (86.5%) | 80.1% (84.8%) | 83.2% (62.5%) | 84.2 | | TF-IDF (+LSTM) | 84.2% (89.3%) | 85.1% (87.5%) | 88.5% (63.9%) | 88.7 | | TF-IDF + SS | 86.5% (90.6%) | 88.7% (89.3%) | 90.4% (64.4%) | 91.5 | | TF-IDF + Bagging | 86.7% (90.7%) | 88.5% (89.2%) | 89.9% (64.3%) | 91.1 | | TF-IDF + Bagging + SS | 91.8% (93.4%) | 93.1% (91.5%) | 94.2% (65.3%) | 94.4 | | TF-IDF + OB + SS (ours) | 92.4% (93.7%) | 93.7% (91.8%) | 94.8% (65.5%) | 95.3 |
|
|
SS: self-supervised; OB: Over-Bootstrap. The values within parentheses are F1 values corresponding to DR and specific FPR.
|
