Reconsider Time Series Analysis for Insider Threat Detection

Download PDF
Open Webpage

Chia-Cheng Chen, Hsing-Kuo Pao

Published: 2024, Last Modified: 26 Feb 2026IEEE Big Data 2024EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Insider threat detection (ITD) presents a significant challenge in cybersecurity, particularly within large and complex organizations. Traditionally, ITD has been overshadowed by the focus of external threats, resulting in less attention and development in this critical area. Conventional ITD approaches often rely heavily on event-driven approaches. On top of that, researchers developed various rule-based methods to conquer the tasks. Based on that, we often ignore the intrinsic temporal relationships that are naturally built in between events that occur in different moments. For instance, we may easily understand events with causality such as one anomalous event followed by another specific event to complete a malicious action; however, may not be aware of events that occur around 9 am every morning during working hours. In our opinion, we attempt to re-consider the temporal behavior to extract the information hidden in cyberspace activities. Specifically, some effective sentence embeddings can assist us in providing informative internal representations to summarize temporal behaviors in the temporal activity sequences to make the right judgment on insider threat detection. In this paper, we propose a novel methodology for insider threat detection that emphasizes temporal relationship modeling on top of already-matured event sequence analysis to effectively catch insider threats. The proposed approach leverages contrastive sentence embeddings to learn users’ intentions in sequences, followed by the deployment of a user-level and event-level Contrastive Learning (euCL) model to incorporate temporal behaviors with user behavior embeddings. To validate the proposed methodology, we conduct extensive analyses and experiments using the publicly available CERT dataset. The results demonstrate the effectiveness and robustness of the proposed method in detecting insider threats and identifying malicious scenarios, highlighting its potential for enhancing cybersecurity measures in complex organizational environments.