<p>Insider threats remain among the most critical challenges in cybersecurity, as malicious or compromised employees can bypass traditional defences and cause disproportionate damage to organizations. Detecting such threats is difficult because anomalous behaviour is often subtle, context-dependent, and concealed within vast volumes of normal user activity. Conventional anomaly detection techniques suffer from high false positive rates and limited ability to capture both temporal and relational patterns of behavior, which constrains their operational utility in Security Operations Centers (SOCs). This study presents a hybrid User and Entity Behavior Analytics framework that integrates Transformer-based sequence modeling with graph neural networks (GNNs) to simultaneously capture temporal workflows and relational dependencies. Using the CERT Insider Threat Dataset, raw multi-source logs are sessionized and transformed into dense event representations combining categorical actions, resource identifiers, and normalized numerical attributes. A Transformer encoder models long-range event dependencies, while a GNN encodes user–resource interactions, their outputs are fused and evaluated via anomaly scoring, with explainability mechanisms providing interpretable SOC alerts. Experimental evaluation demonstrates that the proposed model achieves 97.9% accuracy, 0.88 F1-score, and 0.99 AUC, reducing false positives to 11 per 1000 sessions and lowering detection latency to 1.9&#xa0;h. These results establish that fusing sequential and relational perspectives yields a robust, accurate, and interpretable solution for insider threat detection in enterprise environments.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Attention-driven fusion of sequential and graph neural models for insider threat detection in UEBA

  • Arjun Kidavunil Paduvilan,
  • Shanmugavel Anantha Babu,
  • Janarthanan Sekar,
  • Arun Kumar Elengovan,
  • Nandagopal Seshagiri,
  • Kaushik Jangiti,
  • Arun Kumar Selvam

摘要

Insider threats remain among the most critical challenges in cybersecurity, as malicious or compromised employees can bypass traditional defences and cause disproportionate damage to organizations. Detecting such threats is difficult because anomalous behaviour is often subtle, context-dependent, and concealed within vast volumes of normal user activity. Conventional anomaly detection techniques suffer from high false positive rates and limited ability to capture both temporal and relational patterns of behavior, which constrains their operational utility in Security Operations Centers (SOCs). This study presents a hybrid User and Entity Behavior Analytics framework that integrates Transformer-based sequence modeling with graph neural networks (GNNs) to simultaneously capture temporal workflows and relational dependencies. Using the CERT Insider Threat Dataset, raw multi-source logs are sessionized and transformed into dense event representations combining categorical actions, resource identifiers, and normalized numerical attributes. A Transformer encoder models long-range event dependencies, while a GNN encodes user–resource interactions, their outputs are fused and evaluated via anomaly scoring, with explainability mechanisms providing interpretable SOC alerts. Experimental evaluation demonstrates that the proposed model achieves 97.9% accuracy, 0.88 F1-score, and 0.99 AUC, reducing false positives to 11 per 1000 sessions and lowering detection latency to 1.9 h. These results establish that fusing sequential and relational perspectives yields a robust, accurate, and interpretable solution for insider threat detection in enterprise environments.