Citation

Palaniappan, Sellappan and Logeswaran, Rajasvaran and Khanam, Shapla (2025) Anomaly Detection in Network Traffic for Insider Threat Identification: A Comparative Study of Unsupervised and Supervised Machine Learning Approaches. Journal of Informatics and Web Engineering, 4 (2). pp. 145-157. ISSN 2821-370X

Text View of Anomaly Detection in Network Traffic for Insider Threat Identification_ A Comparative Study of Unsupervised and Supervised Machine Learning Approaches.pdf - Published Version Restricted to Repository staff only Download (3MB)

Abstract

Insider threats pose a significant and growing risk to organizational cybersecurity, with recent studies indicating a 47% increase in insider incidents from 2018 to 2022. This paper presents a comparative analysis of unsupervised and supervised machine learning approaches for detecting potential insider threats through network traffic anomaly identification. We develop and evaluate an Isolation Forest (unsupervised) and a Random Forest (supervised) model, training them on a simulated dataset representing six months of network logs from a mid-sized company. Our study introduces a unique feature set combining traditional network metrics with temporal and behaviouralindicators, enhancing the models' detection capabilities. Results show that the Random Forest classifier outperforms the Isolation Forest, with F1-scores of 0.6425 and 0.4624, respectively. However, the unsupervised approach shows promise in scenarios lacking labelleddata. Key findings reveal that increased connection frequency and data transfer volume are critical indicators of potential threats, with temporal patterns also playing a significant role. This study provides valuable insights into the strengths and limitations of each approach, offering practical implications for real-world digital forensics investigations. We contribute to the field by proposing a hybrid approach that leverages the strengths of both methods, potentially improving the accuracy and adaptability of insider threat detection systems. These findings pave the way for more robust, context-aware cybersecurity measures in the digital age.Keywords—Insider Threat Detection, Network Security, Machine Learning, Anomaly Detection, Digital ForensicsReceived:29August2024; Accepted: 28December2024; Published:16 June 2025This is an open access article under the CC BY-NC-ND 4.0license.1.INTRODUCTIONCybersecurity threats come from both within and without organizations. Unlike external attacks, insider threats originate from within the organization's network, and this makes threat detection more challenging because they have legal access to corporate resources. According to the 2023 Insider Threat Report by Cybersecurity Insiders, 74% of organizations feel vulnerable to insider threats, with 39% reporting an increase in insider incidents over the past 12

Item Type:	Article
Uncontrolled Keywords:	Machine learning, anomaly detection
Subjects:	Q Science > Q Science (General) > Q300-390 Cybernetics
Depositing User:	Ms Rosnani Abd Wahab
Date Deposited:	25 Jun 2025 08:10
Last Modified:	25 Jun 2025 08:10
URII:	http://shdl.mmu.edu.my/id/eprint/14013

Downloads

Edit (login required)