Insider threats represent one of the most critical challenges in modern cybersecurity. These threats arise from individualswithinanorganizationwhomisusetheirlegitimateaccess to harm the organization’s assets, data, or operations. Traditional security mechanisms, primarily designed for external attackers, fall short in identifying these subtle and context-aware threats. In this paper, we propose a novel framework for real-time detection of insider threats using behavioral analytics combined with deep evidential clustering. Our system captures and analyzes user activities, applies context-rich behavioral features, and classifies potential threats using a deep evidential clustering model that estimates both cluster assignment and epistemic uncertainty. The proposed model dynamically adapts to behavioral changes and significantly reduces false positives. We evaluate our framework on benchmarkinsiderthreatdatasetssuchasCERTandTWOS,achieving anaveragedetectionaccuracyof 94.7%anda38% reductioninfalse positives compared to traditional clustering methods. Our results demonstratethe effectivenessofintegratinguncertaintymodelingin threatdetectionpipelines.Thisresearchprovidesactionableinsights for deploying intelligent, adaptive, androbust insider threat detectionsystems across various enterprise environments.
Introduction
Insider threats have become a major cybersecurity challenge as they originate from authorized users who misuse legitimate access to compromise organizational systems and data. Traditional security mechanisms such as firewalls and signature-based intrusion detection systems are ineffective against these attacks because insider behavior often resembles normal user activity. Although machine learning and deep learning techniques have improved behavioral analysis, existing methods still suffer from high false-positive rates, poor adaptability to changing user behavior (concept drift), and limited ability to estimate prediction confidence.
To address these limitations, the proposed framework introduces a Deep Evidential Clustering (DEC)-based real-time insider threat detection system. The system analyzes user activity logs, including login sessions, file access, process execution, and command history, using recurrent neural networks to generate behavioral embeddings. These embeddings are processed by a deep evidential clustering model that employs Dirichlet distributions to estimate both cluster assignments and prediction uncertainty. By combining uncertainty estimation with online learning and behavioral drift analysis, the framework adapts to evolving user behavior, reduces false alarms, and enables human review of ambiguous cases while automatically detecting high-confidence threats.
The proposed model was evaluated on the CERT Insider Threat and TWOS benchmark datasets. Experimental results achieved 94.7% detection accuracy, reduced the false-positive rate by over 38%, and attained an AUC of approximately 0.93, outperforming conventional approaches such as k-means, Isolation Forest, and autoencoder-based methods. Additional analyses demonstrated effective uncertainty estimation, robust detection of behavioral drift, clear separation between normal and anomalous users, and interpretable latent clustering. Overall, the framework provides an adaptive, uncertainty-aware, and highly accurate insider threat detection solution suitable for real-time deployment in Security Operations Centers while improving explainability, analyst trust, and regulatory compliance.
Conclusion
Inthispaper,wepresentedanovelframeworkforreal-time detection of insider threats using behavioral analytics and deepevidential clustering. Bycombiningtemporal embeddings ofuser activity sequenceswithanuncertainty-awareclustering approach,ourmodelnotonlyachieveshigh detectionaccuracy but also significantly reduces false positives—an essential requirement in practical cybersecurity applications.
The incorporation of epistemic uncertainty estimation enables better prioritization of alerts and supports adaptive decisionmaking under ambiguous conditions. Experimental results on two benchmark datasets—CERT and TWOS— demonstrated the superior performance of our approach in terms of accuracy, robustness to concept drift, and interpretability. Our key contributions include the design of a Dirichlet-based clustering head for modeling soft cluster assignments, an anomaly scoring mechanism based on both uncertainty and behavioral drift, and a visualization component for interpretability. These collectively form a robust and deployable system for modern enterprise environments.
Forfuturework,weplantoincorporateactivelearning mechanismswherehigh-uncertaintysamplesareescalatedfor humanlabeling toimprove detectionprecision overtime. We also aim to expand the behavioral feature space by including additionalindicatorssuchaskeystrokedynamics,deviceusage patterns,andcross-platformactivitylogs,enablingamore holistic profileofuserbehavior.Furthermore,deployingthe frameworkinreal-worldSOCenvironmentswillallowusto assesslong-termadaptabilityandoperationalscalability. Lastly,weintendtoexploretheuseofcontrastiveandselfsupervised pretraining techniques to enhancegeneralization,particularlyinlow-labelorzero-shotscenarios. Ultimately,ourapproachbridgesthegapbetweeninterpretabilityandperformanceininsiderthreatdetection,settinganewdirectionforadaptiveandtrustworthyAIincybersecurity.
References
[1] A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols, and B. Robinson, “Deeplearning for unsupervised insider threat detection in structuredcybersecurity data streams,” in Proc. AAAI Workshop AI Cyber Security,2017.
[2] J.Camacho,G.Macia-Fern´andez,andP.Garc´´?a-Teodoro,“Areviewofanomaly detection methods in cybersecurity,” IEEE Commun. SurveysTuts., vol. 23, no. 1, pp. 377–428, 2021.
[3] B. Green, K. Marchant, P. Eklund, and B. Turnbull, “Detecting insiderthreats using deep learning,” J. Wireless Mobile Netw. UbiquitousComput. Dependable Appl., vol. 10, no. 4, pp. 1–23, 2019.
[4] A.H.Lashkari,G.Draper-Gil,M.A.Mamun,andA.A.Ghorbani,“Toward generating a new intrusion detection dataset and intrusiontraffic characterization,” in Proc. Int. Conf. Inf. Syst. Security Privacy(ICISSP), 2017, pp. 108–116.
[5] V.Chandola,A.Banerjee,andV.Kumar,“Anomalydetection:Asurvey,”ACMComput.Surveys,vol.41,no.3,pp.1–58,2009.
[6] M. M. Rahman, R. Sennanayake, S. Lumb, and H. Wang, “Insider threatdetection using machine learning techniques: A systematic literaturereview,” Appl. Sci., vol. 11, no. 4, p. 1841, 2021.
[7] A.L.BuczakandE.Guven,“A surveyofdatamining andmachinelearningmethods for cyber security intrusion detection,” IEEE Commun.
[8] SurveysTuts.,vol.18,no.2,pp.1153–1176,2016.
[9] G. Gavai, K. Sricharan, D. Gunning, J. Hanley, R. Rolleston, and M. Singhal,“DetectinginsiderthreatsusingRADISH:Asystemforreal-timeanomalydetection in heterogeneous data streams,” IEEE Syst. J.,vol. 11,no. 2, pp.476–487,2017.
[10] R. Guh, A. Kumar, M. Chetlur, D. M. Nguyen, Y. Yilmaz, and M.Kantarcioglu, “Deep evidential clustering for anomaly detection,” IEEETrans. Neural Netw. Learn. Syst., 2021, Early Access.
[11] Y.Zhang,W.Wang,Y.Liu,andP.Wang,“Insiderthreatdetectionbasedon user behavior analysis using ensemble learning,” IEEE Access, vol. 7,pp.172331–172346, 2019.
[12] F.Saidi,Z.Trabelsi,andH.B.Ghazela, “Anovelapproachforterroristsub-communities detection based on constrained evidential clustering,” inProc. 12th Int. Conf. Res. Challenges Inf. Sci. (RCIS), 2018, pp. 1–8.
[13] Z.TrabelsiandW.Ibrahim,“Ahands-onapproachforteachingdenialofserviceattacks:Acasestudy,”J.Inf.Technol.Educ.,Innov.Pract.,vol.12,pp.299,2013.
[14] S.S.Mathew,K.Hayawi,N.A.Dawit,I.Taleb,and Z.Trabelsi,“Integrationof blockchain and collaborative intrusion detection for secure datatransactions in industrial IoT: A survey,” Cluster Comput., vol. 25, no.6,pp.4129–4149,2022.
[15] T. Qayyum, Z. Trabelsi, A. W. Malik, and K. Hayawi, “Mobility-awarehierarchical fog computing framework for Industrial Internet of Things(IIoT),” J. Cloud Comput., vol. 11, no. 1, p. 72, 2022.
[16] Z. Trabelsi, S.-H. Cha, D. Desai, and C. Tappert, “A voice and ink XMLmultimodal architecture for mobile e-commerce systems,” in Proc. 2ndInt. Workshop Mobile Commerce, 2002, pp. 100–104.
[17] F. Saidi, Z. Trabelsi, K. Salah, andH. B. Ghezala, “Approaches to analyzecyber terrorist communities: Surveyand challenges,” Comput. Security,vol. 66, pp. 66–80, 2017.
[18] U.Mustafa,M.M.Masud,Z.Trabelsi,T.Wood,andZ.AlHarthi,“Firewallperformance optimization using data mining techniques,” in Proc. 9thInt. Wireless Commun. Mobile Comput. Conf. (IWCMC), 2013, pp. 934–940.
[19] Z. Trabelsi and W. El-Hajj, “On investigating ARP spoofing securitysolutions,”Int.J.InternetProtocolTechnol.,vol.5,no.1–2,pp.92–100,2010.
[20] J. Sajid, K. Hayawi, A. W. Malik, Z. Anwar, and Z. Trabelsi, “A fogcomputing framework for intrusion detection of energy-based attacks onUAV-assisted smart farming,” Appl. Sci., vol. 13, no. 6, p. 3857, 2023.
[21] Z.Trabelsi,L.Zhang,andS.Zeidan,“Dynamicruleandrule-fieldoptimisation for improving firewall performance and security,” IET Inf.Security, vol. 8, no. 4, pp. 250–257, 2014.