TY - JOUR
T1 - Machine learning-based network monitoring for cybersecurity threat detection
AU - Eshmawi, Ala’ Abdulmajid
AU - Al-Nowami, Amal
AU - Mirza, Manar
AU - Abu-Raya, Nada
AU - Al-Thabit, Rawa
AU - Shiaeles, Stavros
AU - Choi, Jin Ghoo
AU - Ashraf, Imran
N1 - Publisher Copyright:
© The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2025.
PY - 2025/11/14
Y1 - 2025/11/14
N2 - Cybersecurity has become an important task to safeguard digital assets. Timely detection of cybersecurity threats and effective response are key tasks to deal with ever-complicating cyberattacks. Cyberattacks, particularly insider threats, have become a big threat to networks. Insider threat detection faces additional challenges, such as a lack of insider threat data to analyze properly. In addition, the inability of traditional approaches to distinguish between insider attacks and legitimate activity increases the likelihood that sensitive data and information can be misused by malicious insiders. To mitigate insider threats, this study utilizes multi-class machine learning models, including support vector machines (SVM), random forest (RF), K nearest neighbor (KNN), deep neural network (DNN), and Naive Bayes (NB) to detect user-centered insider threats at various granularity levels. The CERT r5.2 dataset was used in this study to create a user context model for training the models in various experiments. To establish which models are optimal for detecting each insider threat at various granularity levels, the results of several models are compared based on various criteria. Most machine learning models provided satisfactory results, except for NB and KNN, which are primarily affected by unbalanced data. Thereby, oversampling techniques were utilized to optimize the results. The proposed approach produced good results for KNN, RF, DNN, and SVM models with an accuracy of 99.9%, 95.5%, 94%, and 90.5%, respectively.
AB - Cybersecurity has become an important task to safeguard digital assets. Timely detection of cybersecurity threats and effective response are key tasks to deal with ever-complicating cyberattacks. Cyberattacks, particularly insider threats, have become a big threat to networks. Insider threat detection faces additional challenges, such as a lack of insider threat data to analyze properly. In addition, the inability of traditional approaches to distinguish between insider attacks and legitimate activity increases the likelihood that sensitive data and information can be misused by malicious insiders. To mitigate insider threats, this study utilizes multi-class machine learning models, including support vector machines (SVM), random forest (RF), K nearest neighbor (KNN), deep neural network (DNN), and Naive Bayes (NB) to detect user-centered insider threats at various granularity levels. The CERT r5.2 dataset was used in this study to create a user context model for training the models in various experiments. To establish which models are optimal for detecting each insider threat at various granularity levels, the results of several models are compared based on various criteria. Most machine learning models provided satisfactory results, except for NB and KNN, which are primarily affected by unbalanced data. Thereby, oversampling techniques were utilized to optimize the results. The proposed approach produced good results for KNN, RF, DNN, and SVM models with an accuracy of 99.9%, 95.5%, 94%, and 90.5%, respectively.
KW - Cyber-security
KW - Deep learning
KW - Insider threat detection
KW - Machine learning
KW - Network anomaly detection
KW - Network monitoring
UR - https://www.scopus.com/pages/publications/105021799509
U2 - 10.1007/s10922-025-10001-w
DO - 10.1007/s10922-025-10001-w
M3 - Article
AN - SCOPUS:105021799509
SN - 1064-7570
VL - 34
JO - Journal of Network and Systems Management
JF - Journal of Network and Systems Management
IS - 1
M1 - 27
ER -