The ISC International Journal of Information Security

Abstract Insider threats pose a significant cybersecurity risk, as authorised users can exploit legitimate access to compromise sensitive systems and data. This paper proposes an integrated behavioural anomaly detection approach to address three critical challenges in AI-driven insider threat detection: lack of interpretability, misleading evaluation metrics, and misalignment with operational taxonomies. Our approach employs a three-stage pipeline: (1) an LSTM autoencoder to detect temporal anomalies in login patterns, (2) DBSCAN clustering to identify suspicious file access and device usage during anomalous sessions, and (3) DBSCAN-based URL analysis to uncover exfiltration patterns. By analysing behaviour across time, location, and web activity, this framework builds actionable threat chains mapped to MITRE ATT&CK techniques including T1078, T1005, T1204.002, T1567.002. It bridges the gap between theoretical models and the daily work of a Security Operations Center (SOC). In the data exfiltration scenario on the CERT R6.2 insider threat dataset, the proposed approach achieved a recall of 83.3% and an accuracy of 91.7% in classifying malicious days. The framework also provides interpretable alerts and maintains operational efficiency. 

Abstract The highest level in Endsley's situation awareness model is called projection when the status of elements in the environment is shortly predicted. In cybersecurity situation awareness, the projection for an Advanced Persistent Threat (APT) requires to predict the next step of the APT.
The threats are constantly changing and becoming more complex. As supervised and unsupervised learning methods require APT datasets for projecting the next step of APTs, they cannot identify unknown APT threats.
In reinforcement learning methods, the agent interacts with the environment, which might project the next step of known and unknown APTs. So far, reinforcement learning has not been used to project the next step of APTs.
In reinforcement learning, the agent uses the previous states and actions to approximate the best action of the current state. When the number of states and actions is abundant, the agent employs a neural network to approximate the best action of each state.
This paper presents a deep reinforcement learning system to project the next step of APTs. As there exists some relation between attack steps, we employ the Long Short Term Memory method to approximate the best action of each state. In our proposed system, based on the current situation, we project the next steps of APT threats.
We have evaluated our proposed system on the DAPT2020 dataset. Based on the evaluations performed on the mentioned dataset, six criteria F1, accuracy, precision, recall, loss, and average time were obtained, which are 0.9533, 0.9736, 0.9352, 0.97, 0.0143, and 0.05749(seconds), respectively.

Abstract Tracking or taking care of elderly people when they live alone is much challenging area. Because most of the aged people suffering from some health issues like Alzheimer, diabetes, and hypertension, so in case happening any abnormal activity or any emergency situation since they live alone and there is no one around them to offer any support, so one of the best choices to care mature people is focusing on smart home technology. Also, one of the essential keys to expand smart home technology is monitoring, detecting, and recognizing human activities called Ambient Assisted Living (AAL) applications. Nowadays our world highly focuses on a smart system because the smart system can learn the habits, and if it finds any problem or any abnormal happenings, it can take automated decisions for residents for example, by learning cooking time, the system can prepare the oven, and by learning spare time which the resident spend for watching, the system can prepare the TV also put it to favorite channel for the residents. To done this, a new and existing established machine learning and deep learning approaches are required to be estimated the system focusing on using real data-sets. So, this study presents machine learning to analyze activities of daily living (ADL) in smart home environments. The data sets were collected from a set of binary sensors installed on two houses. This study used public data sets for detecting and recognition human activities, the data set was tested based on machine learning classification especially Support Vector Machines (SVM) was applied as traditional neural network also for deep learning (1-Dcnn) as Convolutional Neural Network (CNN) also, Long Short-Term Memory (LSTM) as Recurrent Neural Network (RNN) and was used. Also, sliding window (windowing) was used in the preprocessing phase, the study concludes that all used algorithms can detect some activities perfectly, and on the other hand they can’t predict all activities perfectly especially those activities that take short-time, the main key for this situation is imbalanced data.

Abstract With present-day technological advancements, the number of devices connected to the Internet has increased dramatically. Cybersecurity attacks are increasingly becoming a threat to individuals and organizations. Contemporary security frameworks incorporate Network Intrusion Detection Systems (NIDS). These systems are an essential component for ensuring the security of computer networks against attacks. In this paper, two deep learning architectures are proposed for both binary and multi-class classification of network attacks. The models, CNN-IDS and LSTM-IDS, are based on Convolutional Neural Network and Long Short Term Memory architectures, respectively. The models are evaluated using the well-known NSL-KDD dataset. The performance is measured in terms of accuracy, precision, recall, and F-measure. Experimental results show that the models achieve good performance in terms of accuracy and recall. Network intrusion detection systems are an integral part of contemporary networks. They provide administrators with an early warning for known and unknown attacks. In this paper, two deep learning architectures to aid administrators in detecting network attacks are outlined