AI-Driven Insider Threat Detection Using Wazuh and Behavioral Analytics: A Modular Approach

Abstract

Insider threats represent a critical challengein modern cybersecurity, ofteneluding traditional defensesduet othe irsubtletyandlegit- imateaccess. ThispaperpresentsanAI-drivende- tectionsystemintegratingtheopen-sourceWazuh SIEM platform with behavioral analytics and machine learning. Leveraging the CERT Insider Threat Dataset and real-time log ingestion, the system employs supervised learning models to identifyanomalousbehavior,assigndynamicrisk scores, and provide actionable alerts. The modular architecture ensures scalability and effective threatvisualization, demonstratingproactive de- tection capabilities with reduced false positives through continuous learning.

Introduction

Overview

With the rise of enterprise digitization, insider threats have become a significant cybersecurity concern. Traditional, reactive security systems often fail to detect such threats early. This paper proposes a proactive system that integrates Wazuh SIEM, behavioral analytics, and machine learning (ML) to detect insider threats in real time by analyzing system logs, file access behavior, and psychometric indicators.

Key Contributions

1. Problem Context

• Insider threats account for 34% of all data breaches, with an average cost of $11.45 million per incident.

• Existing solutions struggle with false positives, limited adaptability, and lack of contextual awareness.

2. Related Work

• Prior research has used deep learning and autoencoders for detection.

• The proposed system improves on prior work by:

  • Reducing false positives

  • Incorporating dynamic risk scoring

  • Enhancing adaptability through behavioral baselining

3. System Design

Architecture

The system follows a layered, modular architecture:

• Data Layer: Wazuh agents collect logs from endpoints.

• Middleware Layer: Handles data flow, preprocessing, and API interactions (built on ELK and PostgreSQL).

• Detection Layer: Uses ML models (Random Forest, XGBoost) for risk scoring.

• Visualization Layer: Dashboards for monitoring and alerts.

Deployment Features

• Runs on Proxmox VE, supporting horizontal and vertical scaling.

• Uses virtual machines to isolate components.

• Automated deployment of agents for scalability across 10,000+ endpoints.

Log Flow

1. Collection: Agents gather logs from syslog, file access, etc.

2. Processing: Wazuh enriches logs, which are indexed in ELK.

3. Analytics: Middleware extracts features and sends data to ML models.

4. Alerting: ML outputs are visualized in a UI dashboard.

Performance Enhancements

• Real-time processing with sub-500ms latency

• Dynamic sharding and retention policies optimize ELK indexing

4. Implementation

• Wazuh cluster includes Indexer VM, Server VM, and Agent VM.

• CERT Insider Threat Dataset v3.2 and custom enterprise logs used for training.

• Feature engineering includes:

  • Temporal access patterns

  • Anomalous access frequency

  • Decoy file interaction

5. Results

• 92.7% ML classification accuracy

• 89% reduction in false positives

• Scales across 10,000+ endpoints

6. Use Case Scenarios

The system effectively detects:

• Data exfiltration (e.g., large uploads to external services)

• Unauthorized access (e.g., failed logins, privilege escalation)

• Behavioral anomalies (e.g., sudden work pattern changes)

• Insider collusion (e.g., synchronized suspicious activity)

7. Evaluation Methodology

• Datasets:

  • Synthetic (10,000 user profiles)

  • CERT dataset (18 months of real-world logs)

  • In-house data from 15,000 users and 72 confirmed threats

• Cross-validation, sandbox testing, and real-world deployment

• Compared against:

  • Rule-based systems

  • COTS insider threat tools

  • Open-source anomaly detectors

8. Conclusion

The paper presents a scalable, modular, and AI-powered insider threat detection system with high accuracy and low latency. It addresses critical shortcomings of existing tools by offering:

• Behavioral pattern analysis

• Real-time alerts

• Easy scalability via virtual infrastructure

Future Work

• Integrating deep learning models

• Enabling cloud-native deployments

• Enhancing empathy in alert explanation for human analysts

Conclusion

Our insider threat detection system represents a significantadvancementinthefield,combiningmul- tiple detection approaches with ethical considera- tions to create a solution that is both effective and responsible. Through rigorous evaluation and testing, wehavedemonstratedsuperiorperformanceacross a range of metrics while addressing the complex privacyandethical challengesin herentinmonitoring employee behavior. The system’s scalable architecture ensures that organizations of all sizes can benefit from its capa- bilities,whilethetransparentandexplainablenature of its detections helps maintain trust and account- ability. Byprioritizingbothsecurityeffectiveness and ethical implementation, our system provides a balancedapproachtothegrowing challengeofinsider threats. Asthreatscontinuetoevolve,ourhybridapproach combiningrules,behavioral analytics,and machine learningprovidestheadaptabilityneededtoidentifynewattackpatternswhileminimizingfalsepositives. Thecomprehensivecomparisonwithalternativeap- proaches demonstrates the advantages of our inte- grated methodology across multiple dimensions of performance. Future work will focus on further refinements to the privacy-preserving capabilities, additional cul- turaladaptationfeaturesfor globaldeployments,and expanded integration with emerging security tech- nologies.

References

[1] A. Budžys et al., “Deep Learning-basedAuthentication for Insider Threat Detection,” inProc. IEEE Int. Conf. Cybersecurity in Critical Infrastructure, 2024, pp. 215- 220. [2] E. Pantelidis et al., “Insider Detection using Deep Au- toencoder and Variational Autoencoder Neural Net- works,” inProc. IEEE Int. Conf. Cyber Security and Resilience, 2021, pp. 112-119. [3] P. D. N. K. Kommisetty et al., “Revolutionizing Cyberse-curity: Behavioral Analysis for Insider Threat Detection,”ACMTrans.Inf.Syst.Security,vol.25,no.4,pp.112-135,2022. [4] M.Jumiaty,Y.D.Setiyadi,F.R.Setiawan,I.Ahmad,andA. Feizal, “SIEM Threat Intelligence for Protecting Applications,”IEEE Access, vol. 12, pp. 12345-12360, 2024. [5] B. Wibowo and A. F. Sulaeman, “Deep Learning in Wazuh Intrusion Detection System,”J. Network and Computer Applications, vol. 215, pp. 103-120, 2025. [6] A. Basit et al., “Security and Threat Detection through Cloud-BasedWazuhDeployment,”inCloudComputing Security Symposium, 2024, pp. 78-85. [7] V.Koutsouvelisetal.,“DetectionofInsiderThreatsusing Artificial Intelligence and Visualization,” inProc. 6th IEEE Conf. Network Softwarization, 2021, pp. 325-330. [8] F.R.Alzaabietal.,“AReviewofRecentAdvances,Chal- lenges, andOpportunitiesinInsider Threat Detection,” J. Cybersecurity Advances, vol. 12, no. 3, pp. 45-67, 2017. [9] M. R. Islam et al., “Wazuh SIEM for Cyber Security andThreat Mitigation in Apparel Industries,” Int. J. CriticalInfrastructure Protection, vol. 30, pp. 100358, 2020.

Copyright

Copyright © 2025 Navaneet R Rao, Praneeth P Shetty, Rishab K Joshi, Sai Prathik R, Dr. Swathi K . This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.