Identifying insider threats in modern enterprise environments presents a unique cybersecurity challenge. Although malicious activity may often appear to be legitimate user activity, it is difficult to recognize the distinction. This study presents an innovative approach to insider threat detection by analyzing enterprise activity logs for session-level behavioural risk monitoring with behavioural biometrics. Behavioural patterns are modelled as temporal sequences across consecutive monitoring windows to capture both short-term behavioural intensity and long-term behavioural drift. The proposed system utilizes a hybrid deep learning architecture that includes a Long Short-Term Memory (LSTM) network and an autoencoder model to model temporal dependence of a user’s behaviour and to identify anomalies through reconstruction error analysis. The LSTM network captures user’s sequential activity and autoencoder determines variance from the user’s typical behavioural profile. The outputs of both models are aggregated using a unified behavioural risk scoring mechanism for session-level risk monitoring and ongoing insider threat assessment. The experimental results from Insider Threat Dataset for Corporate Environments demonstrate that proposed approach is effective in classifying normal versus malicious behaviours of users. The proposed framework achieves an accuracy of 97.65%, a precision of 96.35%, a recall of 99.05%, an F1-score of 97.68%, and a ROC-AUC of 99.20% on a near-balanced benchmark split. Under realistic class imbalance conditions, the framework achieves a PR-AUC of 0.842 and MCC of 0.781, representing the more operationally conservative performance estimate. These findings confirm that the proposed framework constitutes a viable solution for integrating behavioural modelling and anomaly detection within continuous enterprise authentication systems.
Kuldeyev et al. (Mon,) studied this question.