Existing internal threat detection methods model logs as flat event sequences, failing to capture the dynamic frequency patterns of user behavior and multi-scale interference structures, thereby limiting their ability to identify stealthy malicious activities. To address this, we propose a multivariate behavioral frequency modeling framework: (1) we introduce Multivariate Variational Mode Decomposition (MVMD) for the first time to extract multi-scale behavioral perturbation features from log sequences; (2) we jointly encode temporal dynamics via Mamba-based sequence modeling and spectral characteristics via MVMD components; and (3) we fuse these dual-domain representations through linear projection and feed them into an MLP for final detection. Evaluated on the CERT r4.2 and r5.2 benchmarks, our method significantly outperforms state-of-the-art approaches, achieving absolute improvements of 3.2–5.8% in accuracy and 4.1–6.3% in F1-score. This demonstrates the effectiveness and novelty of multi-scale frequency-aware modeling for internal threat detection.

Insider threat detection presents a significant challenge due to the deceptive nature of malicious behaviors, which often resemble legitimate user operations. However, existing approaches typically model system logs as flat event sequences, thereby failing to capture the inherent frequency dynamics and multiscale disturbance patterns embedded in user behavior. To address these limitations, we propose Log2Sig, a robust anomaly detection framework that transforms user logs into multivariate behavioral frequency signals, introducing a novel representation of user behavior. Log2Sig employs Multivariate Variational Mode Decomposition (MVMD) to extract Intrinsic Mode Functions (IMFs), which reveal behavioral fluctuations across multiple temporal scales. Based on this, the model further performs joint modeling of behavioral sequences and frequency-decomposed signals: the daily behavior sequences are encoded using a Mamba-based temporal encoder to capture long-term dependencies, while the corresponding frequency components are linearly projected to match the encoder's output dimension. These dual-view representations are then fused to construct a comprehensive user behavior profile, which is fed into a multilayer perceptron for precise anomaly detection. Experimental results on the CERT r4.2 and r5.2 datasets demonstrate that Log2Sig significantly outperforms state-of-the-art baselines in both accuracy and F1 score.