The insider threat refers to actions of organizational users who abuse their authorized privileges to compromise information assets, and the detection of it has become a crucial task in cybersecurity management. Existing approaches primarily rely on user behavior logs for detection, but they often fail to capture the multi-scale temporal dynamics of user behaviors and the structural relationships within user groups, which limits their effectiveness in insider threat detection. To address these limitations, we propose a multi-scale group learning model (MSGL) for insider threat detection. It mainly consists of three key components: (1) a multi-scale collaborative temporal feature extraction module that leverages a weighted attention mechanism to model behavioral dynamics at different granularities and achieves cross-scale information fusion; (2) the group structure-aware module is designed to capture structural dependencies among users by the aggregation mechanism of graph neural networks, while incorporating group-sparsity regularization to attenuate spurious associations and accentuate underlying common patterns; and (3) an individual learning module for capturing deviations via sparse attention, which facilitates disentangled representations of group-level commonalities and specific characteristics of users. Experimental results on the CERT r4.2 and CERT r5.2 datasets demonstrate the effectiveness of MSGL, achieving detection accuracies of 96.28% and 97.41%, respectively.
Pang et al. (Wed,) studied this question.