REINFORCEMENT LEARNING APPROACH TO INSIDER THREAT DETECTION AND MITIGATION

Abstract

Insider threats to a company can be detected and possibly mitigated by: receiving employee activity data comprising one or more activities or alerts each associated with a respective employee of a plurality of employees. The activities or alerts can be applied to a respective Markov model transition matrix to determine a next possible action of the employee. The one or more activities or alerts for the employee may also be applied to a reinforcement learning model to predict an employee risk that the employee may be an insider threat. Based on at least one of the determined next possible action and the predicted employee risk, threat mitigation controls, such as monitoring or controlling employee access to systems, can be adjusted.

CPC Classifications