Evaluating Forensic Techniques for Detecting and Investigating Insider Threats Leveraging Legitimate Access to Systems and Data
摘要
Insider threats continue to pose a significant cybersecurity concern due to the inherent trust and authorized access granted to individuals within an organization. Unlike external attacks, insider threats are often more difficult to detect because they involve users operating with legitimate credentials, making their actions appear routine or authorized. This research presents a forensic framework for detecting insider threats by analyzing behavioral patterns in user email activity. Drawing on the CERT Insider Threat Email dataset, a three-phase process which includes time-based activity analysis, feature extraction, and hybrid anomaly detection was implemented with Isolation Forest and Local Outlier Factor (LOF) algorithms, supplemented by Random Forest classification for user-level evaluation. The system detected over 26,000 anomalous events, with a significant proportion occurring outside standard business hours, indicating possible policy violations or misuse of access. An NLP and sentiment analysis layer was integrated to extract contextual insights from anomalous emails, revealing thematic patterns and potential threat-related language. Results demonstrated strong agreement between Isolation Forest and LOF outputs, highlighting the framework’s robustness. While effective in identifying behavioral anomalies without labeled data, limitations included a lack of role-based context and intent determination. Future improvements involve integrating role-informed modeling, and hybrid supervised and unsupervised approaches to enhance accuracy, interpretability, and real-time applicability in operational environments.