Insider Threat Detection Model Enhancement Using Hybrid Algorithms between Unsupervised and Supervised Learning

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors The author proposes a methodology to leverage unsupervised outlier scores to enhance supervised insider threat detection by integrating the advantages of supervised and unsupervised learning methods and using multiple unsupervised outlier mining algorithms to extract from the underlying data.  Using only 20% of the computing budget, the methodology achieved an accuracy of 86.12%. Compared with other abnormal detection methods, the accuracy increased by up to 12.5% under the same computing budget.   Major comments: 1. Although the authors claim an improvement of abnormal detection by 12.5%, the same should be highlighted in the results table, which is missing. 2. What is the platform of experimentation where the models are inferring? Based on the platform, it can be concluded whether the 20% resource budget is justifiable.  3. Since the authors execute the three unsupervised algorithms namely kNN, LOF and isolation forest followed by a supervised algorithm, we can conclude that it is a kind of semisupervised approach. In this case, again based on the deployment platform it is expected to have a complexity analysis of the same to decide on the possible deployment platform. 4. what are points "o" and "p" in equation (5), and how did the author map their data points to these parameters in the experiment. A clear explanation is needed. 5. Based on lines 243 to 266, a clearer explanation is needed as to how the authors decide upon a majority decision based on the outcome of individual predictions upon an anomaly using the outlier scoring functions to construct a transformation function matrix. 6. In line 261 what is the threshold error value to decide the safe zone of not succumbing to the overfitting stage? 7. How to plan to make the detection model scalable, since insider threat detection is based upon organisational strength which is variable.     Minor comments:   1. Is it possible to show months under time granularity (table 1 and 2), because assuming a situation, an intrusion happened and has been detected after a week?  So how can it be handled? 2. Expecting quantitative comparison with some closely related pieces of literature solving similar kinds of problems. 3. Can we not use a SOTA data augmentation technique to solve the inherent data imbalance problem in the outlier detection dataset? 4. The introduction section needs some more related literature who tried to solve this kind of insider threat detection problem, and what are the existing problems with their approach.       Overall the paper is well experimented but the presentation needs improvement. Comments on the Quality of English Language

Minor editing of English language required

Author Response

"Please see the attachment."

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

I send an attach with my review and what can be improved.

Comments for author File: Comments.docx

Comments on the Quality of English Language

The English is good!

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The paper under discussion focuses on using a machine-learning model to detect insider threats, using a combination of supervised and unsupervised learning methods. While the idea is interesting, there are several issues that need to be addressed before it can be published and accepted. Firstly, the authors need to clearly highlight the contribution of their work in comparison to similar works in the literature. This means identifying the gaps in the literature and explaining why their method is more effective. Secondly, the paper claims that their algorithm uses fewer resources and is more cost-effective than existing mechanisms. However, the authors do not present any comparisons in terms of resource usage, such as CPU time, memory usage, or other relevant metrics. Thirdly, the introduction section's second contribution only discusses the method used, without explaining the impacts or the reason for its incorporation. Finally, the results section show comparison with other algorithms. But the authors did not mention whether they are used in existing works. If not, then the authros should compare with existing literature. Minor issues: --Line 35-36 who proposed this approach? Are you referring to your current paper. --Line 102-105 what motivated this extension? --Did you use any other feature reduction techniques? --Line 139: is it culstered and normal or abnormal points? --Line 272-274 mentions that XGBoost does not performa well for imbalanced dataset, yet you ended up using it. Why? -- What does percentage of data represent in the tables? -- Did you measure Precision and Recall?

 

Comments on the Quality of English Language

The paper needs proofreading and editing by a native speaker or professional authorities. There are also some repetitions throughout the paper, e.g., Line 1 abstract and Line 1 introduction, Line 141-143, etc. 

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

Having reviewed this, I found that the authors have addressed the concerns I raised earlier in the revised version and the rebuttal.

Reviewer 3 Report

Comments and Suggestions for Authors

The quality of the paper has improved after the revision and I am happy to recommend it for publication.