Role-Aware Behavioural Analytics for Insider Threat Detection in Learning Management Systems

Abstract

The rapid increase in LMS use in educational systems has enabled greater access to and flexibility in digital learning opportunities (e-Learning). But the increased use of these learning environments has also introduced new cybersecurity challenges, particularly regarding insider threats. Insider threats can come from authorized users, such as students, teachers, and administrators. Unlike external cyberattacks, detecting an insider threat is more difficult, since the bad actor (the person committing the act) will normally be using their legitimate credentials and typical access privileges to commit the malicious act. Traditionally, most technologies for detecting insider threats in LMSs use general anomaly-detection processes in their design and place limited focus on the behavioral differences associated with specific roles and task types. The proposed research study presents a behavioral analytics framework for detecting insider threats in LMS’s based on the behavioral characteristics of students and teachers. This framework uses interaction logs and activity data collected from the Open University Learning Analytics Dataset (OULAD) to produce a comparative evaluation of both groups’ behavioral characteristics. Analysis of behavioral indicators, such as logon frequency, session duration, resource access behavior, abnormal access time periods, and excessive downloads, was conducted to establish behavioral profiles for both user types and determine what constitutes “normal” behavior versus “anomalous” behavior. One of the most critical components of this framework is the inclusion of a behavioral labeling mechanism based on role to improve understanding of the context regarding a suspicious action within LMS’s. The purpose of this research is to improve the ability to identify suspicious behaviors within an organization using context and behavior-based intelligent methods.

Introduction

The text presents research on detecting insider threats in Learning Management Systems (LMS) using a role-aware behavioral analytics approach.

Modern LMS platforms like Moodle, Canvas, and Blackboard store large amounts of sensitive academic data, making them vulnerable to cybersecurity threats. Among these, insider threats—originating from authorized users such as students, teachers, or administrators—are particularly difficult to detect because insiders operate with valid credentials and can behave like normal users.

Existing detection methods mainly rely on rule-based systems or generic machine learning models, which often fail to capture contextual differences in user behavior. A key limitation is that most approaches treat all users the same, ignoring the fact that “normal” behavior varies by role. For example, accessing grade records may be normal for teachers but suspicious for students.

To address this gap, the study proposes a role-aware behavioral analytics framework that uses LMS activity data (from the OULAD dataset) to distinguish between normal and anomalous behavior based on user roles. The framework analyzes logs such as login frequency, session duration, resource access, downloads, and assessment interactions.

The system follows a structured process: data collection, preprocessing, role identification, feature extraction, anomaly detection, and threat classification. Behavioral patterns are compared against role-specific baselines to detect unusual actions like abnormal downloads, unauthorized grade access, or irregular login behavior.

Conclusion

In this research project, a behavioral analytics framework for insider threat detection in Learning Management Systems (LMS) was proposed with a focus on including the concept of role awareness in the behavioral analytics of both students and teachers, to provide a better understanding (contextual) of behaviors that may be deemed suspicious due to their occurrence. The analysis of the findings suggests that including role awareness in behavioral analysis supports the effective identification of insider threats and enhances cybersecurity monitoring capabilities for Learning Management Systems (LMS). This study contributes to the growing body of research in the field of Educational Cybersecurity through its introduction of a combined approach of behavioral analysis with role-based analysis of anomalies for identifying (anomalous) behaviors in LMS. The proposed framework reinforced the importance of analyzing behaviors contextually to facilitate the determination of the legitimacy or suspicion of behaviors occurring in LMSs. Future work may include integrating deep learning techniques, implementing sophisticated real-time monitoring systems, and integrating Explainable AI (XAI) technologies and methods into an adaptive insider threat detection system (System, LMS). Finally, future research could also investigate other user roles and add real-world Cybersecurity Data to strengthen the accuracy of behavioral analysis when monitoring for behaviors associated with potential threats.

References

[1] B. Singh and B. Kumar, “Enhancing cyber security in e-learning portals: Challenges and solutions,” Educational Administration: Theory and Practice, vol. 29, no. 4, pp. 1581–1586, 2023. [2] M. Bishop, M. Carvalho, R. Ford, and X. Ou, “Insider threat detection: Progress and open challenges,” IEEE Security & Privacy, vol. 18, no. 4, pp. 14–22, 2020. [3] J. Yuan, J. Wu, X. Qiu, J. Guo, W. Li, and Y.-G. Wang, “Integrating behavior analysis with machine learning to predict online learning performance: A scientometric review and empirical study,” arXiv preprint arXiv:2406.11847, 2024. [4] X. Zhang, Y. Li, and H. Wang, “Behavioral analysis in STEM online courses using learning analytics,” Sustainability, vol. 15, no. 10, p. 8235, 2023. [5] T. Badal, A. Dutt, and M. A. Ismail, “Predictive modelling and analytics of students\' grades: A systematic review,” Scientific Reports, vol. 12, no. 1, p. 20122, 2022. [6] G. M. Rao and D. Ramesh, “A hybrid and improved isolation forest algorithm for anomaly detection,” in Proceedings of the International Conference on Recent Trends in Machine Learning, IoT, Smart Cities and Applications. Singapore: Springer, 2021, pp. 589–598. [7] J. Yi, “Insider threat detection model enhancement using hybrid unsupervised outlier scores,” Electronics, vol. 13, no. 5, 2024. [8] A. Sharma and P. Verma, “Optimising insider threat prediction: Exploring BiLSTM networks and sequential features,” Data Science and Engineering, Springer, 2024. [9] R. Kumar and S. Patel, “Intrusion detection model for imbalanced dataset using SMOTE and Random Forest algorithm,” International Journal of Computer Applications, vol. 185, no. 12, pp. 15–21, 2025. [10] L. Jiang, “Detecting anomalous student engagement patterns in online learning using OULAD,” in Proceedings of the Educational Data Mining Conference, 2022. [11] A. Ali, M. Husain, and P. Hans, “Real-time detection of insider threats using behavioral analytics and deep evidential clustering,” arXiv preprint, 2025.

Copyright

Copyright © 2026 Jisha Sreenath, Dr. Arun Mozhi Selvi. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.