Integrating Multi-Agent Simulation, Behavioral Forensics, and Trust-Aware Machine Learning for Adaptive Insider Threat Detection
Firdous Kausar, Asmah Muallem, Naw Safrin Sattar, Mohamed Zakaria Kurdi
TL;DR
The paper addresses insider-threat detection by combining a multi-agent simulation (MAS) with a layered SIEM, behavioral and communication forensics, and trust-aware, ToM-based reasoning. The authors implement a four-variant framework (LSC, CE-SIEM, EG-SIEM, EG-SIEM-Enron) and evaluate it on 10 runs of a 42-agent enterprise simulation, showing progressive gains in detection performance and precision as cognitive context and evidence gating are added. Key contributions include a Mesa-based MAS with ToM-enabled intent signals, a multi-layer SIEM with trust-adaptive thresholds and online learning, and an Enron-calibrated email forensics module whose runtime integration reduces time-to-detection while maintaining near-perfect precision. The results demonstrate that cognitive context enhances sensitivity, while evidence-gated validation yields high-precision, low-noise alerts, with pretrained communication calibration further accelerating high-confidence insider-threat identification and informing practical SOC deployment.
Abstract
We present a hybrid framework for adaptive insider-threat detection that tightly integrates multi-agent simulation (MAS), layered Security Information and Event Management (SIEM) correlation, behavioral and communication forensics, trust-aware machine learning, and Theory-of-Mind (ToM) reasoning. Intelligent agents operate in a simulated enterprise environment, generating both behavioral events and cognitive intent signals that are ingested by a centralized SIEM. We evaluate four system variants: a Layered SIEM-Core (LSC) baseline, a Cognitive-Enriched SIEM (CE-SIEM) incorporating ToM and communication forensics, an Evidence-Gated SIEM (EG-SIEM) introducing precision-focused validation mechanisms, and an Enron-enabled EG-SIEM (EG-SIEM-Enron) that augments evidence gating with a pretrained email forensics module calibrated on Enron corpora. Across ten simulation runs involving eight malicious insiders, CE-SIEM achieves perfect recall (1.000) and improves actor-level F1 from 0.521 (LSC) to 0.774. EG-SIEM raises actor-level F1 to 0.922 and confirmed-alert precision to 0.997 while reducing false positives to 0.2 per run. EG-SIEM-Enron preserves high precision (1.000 confirmed-alert precision; 0.0 false positives per run), slightly improves actor-level F1 to 0.933, and reduces detection latency (average TTD 10.26 steps versus 15.20 for EG-SIEM). These results demonstrate that cognitive context improves sensitivity, evidence-gated validation enables high-precision, low-noise detection, and pretrained communication calibration can further accelerate high-confidence insider threat identification.
