Insider threats continue to pose a significant cybersecurity concern due to the inherent trust and authorized access granted to individuals within an organization. Unlike external attacks, insider threats are often more difficult to detect because they involve users operating with legitimate credentials, making their actions appear routine or authorized. This research presents a forensic framework for detecting insider threats by analyzing behavioral patterns in user email activity. Drawing on the CERT Insider Threat Email dataset, a three-phase process which includes time-based activity analysis, feature extraction, and hybrid anomaly detection was implemented with Isolation Forest and Local Outlier Factor (LOF) algorithms, supplemented by Random Forest classification for user-level evaluation. The system detected over 26,000 anomalous events, with a significant proportion occurring outside standard business hours, indicating possible policy violations or misuse of access. An NLP and sentiment analysis layer was integrated to extract contextual insights from anomalous emails, revealing thematic patterns and potential threat-related language. Results demonstrated strong agreement between Isolation Forest and LOF outputs, highlighting the framework’s robustness. While effective in identifying behavioral anomalies without labeled data, limitations included a lack of role-based context and intent determination. Future improvements involve integrating role-informed modeling, and hybrid supervised and unsupervised approaches to enhance accuracy, interpretability, and real-time applicability in operational environments.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Evaluating Forensic Techniques for Detecting and Investigating Insider Threats Leveraging Legitimate Access to Systems and Data

  • Rojeena Khadka,
  • Dorcas Addo,
  • Yvonne Jegede,
  • Lei Chen

摘要

Insider threats continue to pose a significant cybersecurity concern due to the inherent trust and authorized access granted to individuals within an organization. Unlike external attacks, insider threats are often more difficult to detect because they involve users operating with legitimate credentials, making their actions appear routine or authorized. This research presents a forensic framework for detecting insider threats by analyzing behavioral patterns in user email activity. Drawing on the CERT Insider Threat Email dataset, a three-phase process which includes time-based activity analysis, feature extraction, and hybrid anomaly detection was implemented with Isolation Forest and Local Outlier Factor (LOF) algorithms, supplemented by Random Forest classification for user-level evaluation. The system detected over 26,000 anomalous events, with a significant proportion occurring outside standard business hours, indicating possible policy violations or misuse of access. An NLP and sentiment analysis layer was integrated to extract contextual insights from anomalous emails, revealing thematic patterns and potential threat-related language. Results demonstrated strong agreement between Isolation Forest and LOF outputs, highlighting the framework’s robustness. While effective in identifying behavioral anomalies without labeled data, limitations included a lack of role-based context and intent determination. Future improvements involve integrating role-informed modeling, and hybrid supervised and unsupervised approaches to enhance accuracy, interpretability, and real-time applicability in operational environments.