Insider threats represent a critical challengein modern cybersecurity, ofteneluding traditional defensesduet othe irsubtletyandlegit- imateaccess. ThispaperpresentsanAI-drivende- tectionsystemintegratingtheopen-sourceWazuh SIEM platform with behavioral analytics and machine learning. Leveraging the CERT Insider Threat Dataset and real-time log ingestion, the system employs supervised learning models to identifyanomalousbehavior,assigndynamicrisk scores, and provide actionable alerts. The modular architecture ensures scalability and effective threatvisualization, demonstratingproactive de- tection capabilities with reduced false positives through continuous learning.
Introduction
Overview
With the rise of enterprise digitization, insider threats have become a significant cybersecurity concern. Traditional, reactive security systems often fail to detect such threats early. This paper proposes a proactive system that integrates Wazuh SIEM, behavioral analytics, and machine learning (ML) to detect insider threats in real time by analyzing system logs, file access behavior, and psychometric indicators.
Key Contributions
1. Problem Context
Insider threats account for 34% of all data breaches, with an average cost of $11.45 million per incident.
Existing solutions struggle with false positives, limited adaptability, and lack of contextual awareness.
2. Related Work
Prior research has used deep learning and autoencoders for detection.
The proposed system improves on prior work by:
Reducing false positives
Incorporating dynamic risk scoring
Enhancing adaptability through behavioral baselining
3. System Design
Architecture
The system follows a layered, modular architecture:
Data Layer: Wazuh agents collect logs from endpoints.
Middleware Layer: Handles data flow, preprocessing, and API interactions (built on ELK and PostgreSQL).
Detection Layer: Uses ML models (Random Forest, XGBoost) for risk scoring.
Visualization Layer: Dashboards for monitoring and alerts.
Deployment Features
Runs on Proxmox VE, supporting horizontal and vertical scaling.
Uses virtual machines to isolate components.
Automated deployment of agents for scalability across 10,000+ endpoints.
Log Flow
Collection: Agents gather logs from syslog, file access, etc.
Processing: Wazuh enriches logs, which are indexed in ELK.
Analytics: Middleware extracts features and sends data to ML models.
Alerting: ML outputs are visualized in a UI dashboard.
Performance Enhancements
Real-time processing with sub-500ms latency
Dynamic sharding and retention policies optimize ELK indexing
4. Implementation
Wazuh cluster includes Indexer VM, Server VM, and Agent VM.
CERT Insider Threat Dataset v3.2 and custom enterprise logs used for training.
Feature engineering includes:
Temporal access patterns
Anomalous access frequency
Decoy file interaction
5. Results
Metric
Baseline
Proposed System
Detection Accuracy
76%
93%
False Positives per Hour
42
5
Processing Latency
2.1 sec
0.4 sec
92.7% ML classification accuracy
89% reduction in false positives
Scales across 10,000+ endpoints
6. Use Case Scenarios
The system effectively detects:
Data exfiltration (e.g., large uploads to external services)
In-house data from 15,000 users and 72 confirmed threats
Cross-validation, sandbox testing, and real-world deployment
Compared against:
Rule-based systems
COTS insider threat tools
Open-source anomaly detectors
8. Conclusion
The paper presents a scalable, modular, and AI-powered insider threat detection system with high accuracy and low latency. It addresses critical shortcomings of existing tools by offering:
Behavioral pattern analysis
Real-time alerts
Easy scalability via virtual infrastructure
Future Work
Integrating deep learning models
Enabling cloud-native deployments
Enhancing empathy in alert explanation for human analysts
Conclusion
Our insider threat detection system represents a significantadvancementinthefield,combiningmul- tiple detection approaches with ethical considera- tions to create a solution that is both effective and responsible. Through rigorous evaluation and testing, wehavedemonstratedsuperiorperformanceacross a range of metrics while addressing the complex privacyandethical challengesin herentinmonitoring employee behavior.
The system’s scalable architecture ensures that organizations of all sizes can benefit from its capa- bilities,whilethetransparentandexplainablenature of its detections helps maintain trust and account- ability. Byprioritizingbothsecurityeffectiveness and ethical implementation, our system provides a balancedapproachtothegrowing challengeofinsider threats. Asthreatscontinuetoevolve,ourhybridapproach combiningrules,behavioral analytics,and machine learningprovidestheadaptabilityneededtoidentifynewattackpatternswhileminimizingfalsepositives. Thecomprehensivecomparisonwithalternativeap- proaches demonstrates the advantages of our inte- grated methodology across multiple dimensions of performance.
Future work will focus on further refinements to the privacy-preserving capabilities, additional cul- turaladaptationfeaturesfor globaldeployments,and expanded integration with emerging security tech- nologies.
References
[1] A. Budžys et al., “Deep Learning-basedAuthentication for Insider Threat Detection,” inProc. IEEE Int. Conf. Cybersecurity in Critical Infrastructure, 2024, pp. 215- 220.
[2] E. Pantelidis et al., “Insider Detection using Deep Au- toencoder and Variational Autoencoder Neural Net- works,” inProc. IEEE Int. Conf. Cyber Security and Resilience, 2021, pp. 112-119.
[3] P. D. N. K. Kommisetty et al., “Revolutionizing Cyberse-curity: Behavioral Analysis for Insider Threat Detection,”ACMTrans.Inf.Syst.Security,vol.25,no.4,pp.112-135,2022.
[4] M.Jumiaty,Y.D.Setiyadi,F.R.Setiawan,I.Ahmad,andA. Feizal, “SIEM Threat Intelligence for Protecting Applications,”IEEE Access, vol. 12, pp. 12345-12360, 2024.
[5] B. Wibowo and A. F. Sulaeman, “Deep Learning in Wazuh Intrusion Detection System,”J. Network and Computer Applications, vol. 215, pp. 103-120, 2025.
[6] A. Basit et al., “Security and Threat Detection through Cloud-BasedWazuhDeployment,”inCloudComputing Security Symposium, 2024, pp. 78-85.
[7] V.Koutsouvelisetal.,“DetectionofInsiderThreatsusing Artificial Intelligence and Visualization,” inProc. 6th IEEE Conf. Network Softwarization, 2021, pp. 325-330.
[8] F.R.Alzaabietal.,“AReviewofRecentAdvances,Chal- lenges, andOpportunitiesinInsider Threat Detection,” J. Cybersecurity Advances, vol. 12, no. 3, pp. 45-67, 2017.
[9] M. R. Islam et al., “Wazuh SIEM for Cyber Security andThreat Mitigation in Apparel Industries,” Int. J. CriticalInfrastructure Protection, vol. 30, pp. 100358, 2020.