🤖 AI Summary
Internal threat detection is highly challenging due to the stealthy nature of malicious insider behaviors. This paper proposes a posterior double-graph fusion framework that jointly models explicit (rule-driven) and implicit (Gumbel-Softmax differentiable learning-generated) graph structures. It employs Graph Convolutional Networks (GCNs) to extract structural features, Bidirectional LSTMs (Bi-LSTMs) to capture temporal dynamics of user behavior, and an attention-enhanced cross-graph embedding fusion mechanism to improve discriminative capability. The approach effectively mitigates noise from handcrafted graph construction and enables fine-grained anomaly identification. Evaluated on CERT r5.2 and r6.2 datasets, it achieves AUC scores of 98.62% and 88.48%, detection rates of 100% and 80.15%, and false positive rates as low as 0.05% and 0.15%, respectively—significantly outperforming state-of-the-art methods.
📝 Abstract
Insider threat detection (ITD) is challenging due to the subtle and concealed nature of malicious activities performed by trusted users. This paper proposes a post-hoc ITD framework that integrates explicit and implicit graph representations with temporal modelling to capture complex user behaviour patterns. An explicit graph is constructed using predefined organisational rules to model direct relationships among user activities. To mitigate noise and limitations in this hand-crafted structure, an implicit graph is learned from feature similarities using the Gumbel-Softmax trick, enabling the discovery of latent behavioural relationships. Separate Graph Convolutional Networks (GCNs) process the explicit and implicit graphs to generate node embeddings, which are concatenated and refined through an attention mechanism to emphasise threat-relevant features. The refined representations are then passed to a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture temporal dependencies in user behaviour. Activities are flagged as anomalous when their probability scores fall below a predefined threshold. Extensive experiments on CERT r5.2 and r6.2 datasets demonstrate that the proposed framework outperforms state-of-the-art methods. On r5.2, the model achieves an AUC of 98.62, a detection rate of 100%, and a false positive rate of 0.05. On the more challenging r6.2 dataset, it attains an AUC of 88.48, a detection rate of 80.15%, and a false positive rate of 0.15, highlighting the effectiveness of combining graph-based and temporal representations for robust ITD.