Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Insider Threat Detection Using GCN and Bi-LSTM with Explicit and Implicit Graph Representations

Rahul Yumlembam, Biju Issac, Seibu Mary Jacob, Longzhi Yang, Deepa Krishnan

TL;DR

The paper tackles insider threat detection by integrating explicit and implicit graph representations with temporal modelling. It introduces a DualGCNWithAttention architecture that processes both hand-crafted explicit relationships and learned latent implicit connections, refined by an attention mechanism, followed by a Bi-LSTM to capture temporal dynamics. On CERT r5.2 and r6.2 datasets, the approach achieves state-of-the-art performance, notably an AUC of 98.62 with perfect detection on r5.2 and strong results on the more challenging r6.2, demonstrating the value of combining dual graphs with sequential modelling. These findings suggest robust ITD capabilities with reduced false positives, and the work provides a reproducible framework with public code for broader validation and deployment in security-critical environments.

Abstract

Insider threat detection (ITD) is challenging due to the subtle and concealed nature of malicious activities performed by trusted users. This paper proposes a post-hoc ITD framework that integrates explicit and implicit graph representations with temporal modelling to capture complex user behaviour patterns. An explicit graph is constructed using predefined organisational rules to model direct relationships among user activities. To mitigate noise and limitations in this hand-crafted structure, an implicit graph is learned from feature similarities using the Gumbel-Softmax trick, enabling the discovery of latent behavioural relationships. Separate Graph Convolutional Networks (GCNs) process the explicit and implicit graphs to generate node embeddings, which are concatenated and refined through an attention mechanism to emphasise threat-relevant features. The refined representations are then passed to a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture temporal dependencies in user behaviour. Activities are flagged as anomalous when their probability scores fall below a predefined threshold. Extensive experiments on CERT r5.2 and r6.2 datasets demonstrate that the proposed framework outperforms state-of-the-art methods. On r5.2, the model achieves an AUC of 98.62, a detection rate of 100%, and a false positive rate of 0.05. On the more challenging r6.2 dataset, it attains an AUC of 88.48, a detection rate of 80.15%, and a false positive rate of 0.15, highlighting the effectiveness of combining graph-based and temporal representations for robust ITD.

Insider Threat Detection Using GCN and Bi-LSTM with Explicit and Implicit Graph Representations

TL;DR

The paper tackles insider threat detection by integrating explicit and implicit graph representations with temporal modelling. It introduces a DualGCNWithAttention architecture that processes both hand-crafted explicit relationships and learned latent implicit connections, refined by an attention mechanism, followed by a Bi-LSTM to capture temporal dynamics. On CERT r5.2 and r6.2 datasets, the approach achieves state-of-the-art performance, notably an AUC of 98.62 with perfect detection on r5.2 and strong results on the more challenging r6.2, demonstrating the value of combining dual graphs with sequential modelling. These findings suggest robust ITD capabilities with reduced false positives, and the work provides a reproducible framework with public code for broader validation and deployment in security-critical environments.

Abstract

Insider threat detection (ITD) is challenging due to the subtle and concealed nature of malicious activities performed by trusted users. This paper proposes a post-hoc ITD framework that integrates explicit and implicit graph representations with temporal modelling to capture complex user behaviour patterns. An explicit graph is constructed using predefined organisational rules to model direct relationships among user activities. To mitigate noise and limitations in this hand-crafted structure, an implicit graph is learned from feature similarities using the Gumbel-Softmax trick, enabling the discovery of latent behavioural relationships. Separate Graph Convolutional Networks (GCNs) process the explicit and implicit graphs to generate node embeddings, which are concatenated and refined through an attention mechanism to emphasise threat-relevant features. The refined representations are then passed to a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture temporal dependencies in user behaviour. Activities are flagged as anomalous when their probability scores fall below a predefined threshold. Extensive experiments on CERT r5.2 and r6.2 datasets demonstrate that the proposed framework outperforms state-of-the-art methods. On r5.2, the model achieves an AUC of 98.62, a detection rate of 100%, and a false positive rate of 0.05. On the more challenging r6.2 dataset, it attains an AUC of 88.48, a detection rate of 80.15%, and a false positive rate of 0.15, highlighting the effectiveness of combining graph-based and temporal representations for robust ITD.

Paper Structure

This paper contains 19 sections, 34 equations, 2 figures, 2 tables.

Table of Contents

  1. Impact Statement
  2. Introduction
  3. Related works
  4. Methodology
  5. Activity Encoding
  6. Log Feature Extraction
  7. Graph Construction
  8. Explicit Graph Construction
  9. Implicit Graph Construction
  10. Node embedding generation and attention
  11. Anomaly Detection
  12. Experiments
  13. Dataset
  14. Implementation Details
  15. Experimental Results and Analysis
  16. ...and 4 more sections

Figures (2)

  • Figure 1: Overall Insider Detection Architecture.
  • Figure 2: Comparison of ROC Curves Between Different Models on the r5.2 CERT Dataset: Evaluating Performance with Explicit Graphs Versus Combined Explicit and Implicit Graphs.