Anomaly Detection Based on Discrete Wavelet Transformation for Insider Threat Classification Dong-Wook Kim 1 , Gun-Yoon Shin 1 and Myung-Mook Han 2,* 1 Department of Computer Engineering, Gachon University, Seongnam-si, 13120, Korea 2 Department of AI Software, Gachon University, Seongnam-si, 13120, Korea *Corresponding Author: Myung-Mook Han. Email: mmhan@gachon.ac.kr Received: 21 July 2022; Accepted: 30 September 2022 Abstract: Unlike external attacks, insider threats arise from legitimate users who belong to the organization. These individuals may be a potential threat for hostile behavior depending on their motives. For insider detection, many intrusion detec- tion systems learn and prevent known scenarios, but because malicious behavior has similar patterns to normal behavior, in reality, these systems can be evaded. Furthermore, because insider threats share a feature space similar to normal beha- vior, identifying them by detecting anomalies has limitations. This study proposes an improved anomaly detection methodology for insider threats that occur in cybersecurity in which a discrete wavelet transformation technique is applied to classify normal vs. malicious users. The discrete wavelet transformation technique easily discovers new patterns or decomposes synthesized data, making it possible to distinguish between shared characteristics. To verify the efficacy of the pro- posed methodology, experiments were conducted in which normal users and mal- icious users were classified based on insider threat scenarios provided in Carnegie Mellon University’ s Computer Emergency Response Team (CERT) dataset. The experimental results indicate that the proposed methodology with discrete wavelet transformation reduced the false-positive rate by 82% to 98% compared to the case with no wavelet applied. Thus, the proposed methodology has high potential for application to similar feature spaces. Keywords: Anomaly detection; cybersecurity; discrete wavelet transformation; insider threat classification 1 Introduction Cybersecurity threats in an organization can arise internally or externally. Although most defense systems focus on protecting resources against external attackers, many breaches of security data and privacy are caused by internal attackers. Internal attackers, such as employees and corporate partners that can legitimately connect to an organization’ s computer systems, pose a more lethal threat than external attackers [1]. Internal attackers have an understanding and knowledge of the organizational system and, unlike outsiders, they can possess all the necessary authorities and privileges to carry out a successful attack. These characteristics can make insider attacks look like normal tasks, which threatens the This work is licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Computer Systems Science & Engineering DOI: 10.32604/csse.2023.034589 Article ech T Press Science