Insider Attacker Detection Based On Body Language and Technical Behavior Using Light Gradient Boosting Machine (LightGBM)

One of most important challenges in cyber security is detecting the insider attacker, where organizations security suffers from the insider attacker, which is an employee (person) with an authorized access to resources and data of an organization then used the access to harm the organization. The insiders are categorizing as active insiders (masquerade and cause physical damage) or passive insider (provide only information). The previous security systems focus on the technical anomaly of an employee to discover the active insider attacker and cannot discover it, if there is not technical anomaly (passive attacker). This paper propose approach to obtain early indicator to passive insider attacker before doing the crime, where body language-based approach used to give earlier alarm of insider attacker. By using three of negative body language gestures (Cross Arms, Clasped Hands, Covering the Mouth) which referred to feeling of insecure, ready for an attack, doubt and a lack of self-confidence, these feelings are the closest to the feelings of the internal attacker. These gestures obtained by use skeleton features from video stream provided by Orbbec Astra Pro camera after passed to rule based classifier to recognize each one of the three body language gestures. Then determined the degree of trust based on the duration of the gesture and the number of occurrences of the same gesture or different gestures and depending on the degree of trust, the organization is alerted to the questionable employees. The test performs on ten of employees, four insider attackers were planted among them, and the results show 70% accuracy of detects the insiders, this approach will detect insider attacker before started his malicious work. Also this paper solves the active attacker, where in reality, the number of malicious events is very small in relation to the number of normal events of the employee, so it was necessary to use a method that accurately characterized this number of harmful behaviors. Several previous studies used complex methods such as deep learning to solve this problem. In this thesis, we used a simpler and faster solution that gave accurate results, where an intelligent approach for detecting insider attacker using Light Gradient Boosting Machine (LightGBM) applied, the cert r4.2 data set used to build and evaluate the model. The results showed the model’s ability to distinguish malicious events from data set in its original unbalanced state with accuracy 99.47%.