Real-Time Detection of Insider Threats Using Behavioral Analytics and Deep Evidential Clustering
Anas Ali, Mubashar Husain, Peter Hans
TL;DR
This work tackles insider threat detection, a problem where malicious activity is hidden within legitimate user actions and traditional security tools often fail. It presents a real-time framework that fuses behavioral analytics with deep evidential clustering to jointly output cluster assignments and epistemic uncertainty, using temporal embeddings learned by a GRU and a Dirichlet-based clustering head that supports online drift adaptation. The approach achieves high detection accuracy on benchmark datasets (approximately 94.7% on CERT and 92.8% on TWOS) while substantially reducing false positives and providing uncertainty estimates to guide analyst review. By quantifying confidence and adapting to changing behavior, the method enhances interpretability and reliability for SOC deployments and regulatory-compliant insider threat monitoring. The study demonstrates the practical value of uncertainty modeling in threat detection and offers a scalable, deployable pathway for adaptive insider threat defense in enterprise environments.
Abstract
Insider threats represent one of the most critical challenges in modern cybersecurity. These threats arise from individuals within an organization who misuse their legitimate access to harm the organization's assets, data, or operations. Traditional security mechanisms, primarily designed for external attackers, fall short in identifying these subtle and context-aware threats. In this paper, we propose a novel framework for real-time detection of insider threats using behavioral analytics combined with deep evidential clustering. Our system captures and analyzes user activities, applies context-rich behavioral features, and classifies potential threats using a deep evidential clustering model that estimates both cluster assignment and epistemic uncertainty. The proposed model dynamically adapts to behavioral changes and significantly reduces false positives. We evaluate our framework on benchmark insider threat datasets such as CERT and TWOS, achieving an average detection accuracy of 94.7% and a 38% reduction in false positives compared to traditional clustering methods. Our results demonstrate the effectiveness of integrating uncertainty modeling in threat detection pipelines. This research provides actionable insights for deploying intelligent, adaptive, and robust insider threat detection systems across various enterprise environments.