Insider Threat Detection Using GCN and Bi-LSTM with Explicit and Implicit Graph Representations

📅 2025-12-20
📈 Citations: 0
Influential: 0
📄 PDF

career value

231K/year
🤖 AI Summary
Internal threat detection is highly challenging due to the stealthy nature of malicious insider behaviors. This paper proposes a posterior double-graph fusion framework that jointly models explicit (rule-driven) and implicit (Gumbel-Softmax differentiable learning-generated) graph structures. It employs Graph Convolutional Networks (GCNs) to extract structural features, Bidirectional LSTMs (Bi-LSTMs) to capture temporal dynamics of user behavior, and an attention-enhanced cross-graph embedding fusion mechanism to improve discriminative capability. The approach effectively mitigates noise from handcrafted graph construction and enables fine-grained anomaly identification. Evaluated on CERT r5.2 and r6.2 datasets, it achieves AUC scores of 98.62% and 88.48%, detection rates of 100% and 80.15%, and false positive rates as low as 0.05% and 0.15%, respectively—significantly outperforming state-of-the-art methods.

Technology Category

Application Category

📝 Abstract
Insider threat detection (ITD) is challenging due to the subtle and concealed nature of malicious activities performed by trusted users. This paper proposes a post-hoc ITD framework that integrates explicit and implicit graph representations with temporal modelling to capture complex user behaviour patterns. An explicit graph is constructed using predefined organisational rules to model direct relationships among user activities. To mitigate noise and limitations in this hand-crafted structure, an implicit graph is learned from feature similarities using the Gumbel-Softmax trick, enabling the discovery of latent behavioural relationships. Separate Graph Convolutional Networks (GCNs) process the explicit and implicit graphs to generate node embeddings, which are concatenated and refined through an attention mechanism to emphasise threat-relevant features. The refined representations are then passed to a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture temporal dependencies in user behaviour. Activities are flagged as anomalous when their probability scores fall below a predefined threshold. Extensive experiments on CERT r5.2 and r6.2 datasets demonstrate that the proposed framework outperforms state-of-the-art methods. On r5.2, the model achieves an AUC of 98.62, a detection rate of 100%, and a false positive rate of 0.05. On the more challenging r6.2 dataset, it attains an AUC of 88.48, a detection rate of 80.15%, and a false positive rate of 0.15, highlighting the effectiveness of combining graph-based and temporal representations for robust ITD.
Problem

Research questions and friction points this paper is trying to address.

Detects insider threats by modeling user behavior with explicit and implicit graphs.
Integrates graph representations with temporal modeling to capture complex activity patterns.
Addresses subtle malicious activities by trusted users using GCN and Bi-LSTM networks.
Innovation

Methods, ideas, or system contributions that make the work stand out.

Combines explicit and implicit graph representations for user behavior modeling.
Uses GCN and attention mechanism to refine threat-relevant node embeddings.
Integrates Bi-LSTM to capture temporal dependencies in user activities.
🔎 Similar Papers
No similar papers found.
R
Rahul Yumlembam
School of Computer Science, Northumbria University, Newcastle, UK
Biju Issac
Biju Issac
Leidos Biomedical Research Inc.
BioinformaticsInfectious diseasesVirusCancer
S
Seibu Mary Jacob
School of Computing, Engineering & Digital Technologies, Teesside University, Middlesbrough, UK
L
Longzhi Yang
School of Computer Science, Northumbria University, Newcastle, UK
D
Deepa Krishnan
Mukesh Patel School of Technology, Management, and Engineering, NMIMS University, India