{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T21:29:31Z","timestamp":1770154171767,"version":"3.49.0"},"publisher-location":"Singapore","reference-count":49,"publisher":"Springer Nature Singapore","isbn-type":[{"value":"9789819564187","type":"print"},{"value":"9789819564194","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-981-95-6419-4_7","type":"book-chapter","created":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T08:58:07Z","timestamp":1770109087000},"page":"116-132","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Real-Time Anomaly Detection for\u00a0Event-Based Insider Threat Hunting"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-3260-0857","authenticated-orcid":false,"given":"Thibault","family":"Leblanc","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0004-7361-5396","authenticated-orcid":false,"given":"Neda","family":"Baghalizadeh-Moghadam","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1124-2200","authenticated-orcid":false,"given":"Fr\u00e9d\u00e9ric","family":"Cuppens","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8792-0413","authenticated-orcid":false,"given":"Nora","family":"Boulahia-Cuppens","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,2,4]]},"reference":[{"key":"7_CR1","unstructured":"Verizon: Data breach investigations report (2024)"},{"key":"7_CR2","doi-asserted-by":"crossref","unstructured":"IBM Security: The cost of insider threat: Global report (2020)","DOI":"10.1016\/S1353-4858(20)30017-9"},{"key":"7_CR3","unstructured":"Ponemon Institute: Cost of insider risks (2023)"},{"key":"7_CR4","unstructured":"Cappelli, D., Moore, A., Trzeciak, R.: The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (2012)"},{"key":"7_CR5","unstructured":"National Institute of Standards & Technology: SP 800-94. Guide to Intrusion Detection and Prevention Systems (IDPS). Technical report (2007)"},{"key":"7_CR6","unstructured":"Doshi-Velez, F., Kim, B.: Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608 (2017)"},{"issue":"1","key":"7_CR7","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1109\/TNSM.2020.2967721","volume":"17","author":"DC Le","year":"2020","unstructured":"Le, D.C., Zincir-Heywood, N., Heywood, M.I.: Analyzing data granularity levels for insider threat detection using machine learning. IEEE Trans. Netw. Serv. Manage. 17(1), 30\u201344 (2020)","journal-title":"IEEE Trans. Netw. Serv. Manage."},{"key":"7_CR8","doi-asserted-by":"crossref","unstructured":"Artioli, P., Maci, A., Magr\u00ec, A.: A comprehensive investigation of clustering algorithms for user and entity behavior analytics. Front. Big Data 7 (2024)","DOI":"10.3389\/fdata.2024.1375818"},{"key":"7_CR9","doi-asserted-by":"crossref","unstructured":"Baghalizadeh-Moghadam, N., Neal, C., Boucetta, S.I., Boulahia-Cuppens, N., Cuppens, F.: Semantic and graph-based unsupervised learning for insider threat detection using user activity sequences. In: 2025 22th Annual International Conference on Privacy, Security and Trust (PST) (2025)","DOI":"10.1109\/PST65910.2025.11268873"},{"key":"7_CR10","doi-asserted-by":"publisher","first-page":"626","DOI":"10.1007\/s10618-014-0365-y","volume":"29","author":"L Akoglu","year":"2015","unstructured":"Akoglu, L., Tong, H., Koutra, D.: Graph based anomaly detection and description: a survey. Data Min. Knowl. Discov. 29, 626\u2013688 (2015)","journal-title":"Data Min. Knowl. Discov."},{"key":"7_CR11","doi-asserted-by":"crossref","unstructured":"Gamachchi, A., Sun, L., Boztas, S.: A graph based framework for malicious insider threat detection. arXiv preprint arXiv:1809.00141 (2018)","DOI":"10.24251\/HICSS.2017.319"},{"key":"7_CR12","doi-asserted-by":"publisher","first-page":"5817","DOI":"10.1109\/TIFS.2023.3318960","volume":"18","author":"X Hu","year":"2023","unstructured":"Hu, X., Gao, W., Cheng, G., Li, R., Zhou, Y., Wu, H.: Toward early and accurate network intrusion detection using graph embedding. Trans. Info. For. Sec. 18, 5817\u20135831 (2023)","journal-title":"Trans. Info. For. Sec."},{"key":"7_CR13","doi-asserted-by":"crossref","unstructured":"Carrera, F., Dentamaro, V., Galantucci, S., Iannacone, A., Impedovo, D., Pirlo, G.: Combining unsupervised approaches for near real-time network traffic anomaly detection. Appl. Sci. 12(3) (2022)","DOI":"10.3390\/app12031759"},{"key":"7_CR14","doi-asserted-by":"crossref","unstructured":"Gonz\u00e1lez-Granadillo, G., Gonz\u00e1lez-Zarzosa, S., Diaz, R.: Security information and event management (SIEM): analysis, trends, and usage in critical infrastructures. Sensors 21(14) (2021)","DOI":"10.3390\/s21144759"},{"key":"7_CR15","unstructured":"Olaoye, F., Potter, K.: Behavioral analytics for insider threat detection. J. Cybersecur. (2024)"},{"key":"7_CR16","doi-asserted-by":"crossref","unstructured":"Al-Mhiqani, M.N., et al.: A review of insider threat detection: classification, machine learning techniques, datasets, open challenges, and recommendations Appl. Sci. 10(15), 5208 (2020)","DOI":"10.3390\/app10155208"},{"key":"7_CR17","doi-asserted-by":"publisher","first-page":"34752","DOI":"10.1109\/ACCESS.2024.3373265","volume":"12","author":"F Whitelaw","year":"2024","unstructured":"Whitelaw, F., Riley, J., Elmrabit, N.: A review of the insider threat, a practitioner perspective within the U.K. financial services. IEEE Access 12, 34752\u201334768 (2024)","journal-title":"IEEE Access"},{"key":"7_CR18","doi-asserted-by":"crossref","unstructured":"Axelrad, E.T., Sticha, P.J., Brdiczka, O., Shen, J.: A Bayesian network model for predicting insider threats. In: 2013 IEEE Security and Privacy Workshops, pp.\u00a082\u201389. IEEE (2013)","DOI":"10.1109\/SPW.2013.35"},{"key":"7_CR19","doi-asserted-by":"crossref","unstructured":"Bertrand, S., Desharnais, J., Tawbi, N.: Unsupervised user-based insider threat detection using Bayesian Gaussian mixture models. In: 2023 20th Annual International Conference on Privacy, Security and Trust (PST), pp.\u00a01\u201310 (2023). ISSN 2643-4202","DOI":"10.1109\/PST58708.2023.10320169"},{"key":"7_CR20","unstructured":"Singh, A., Sharma, A.: A systematic literature review on insider threats. arXiv preprint arXiv:2212.05347 (2022)"},{"key":"7_CR21","series-title":"Smart Innovation, Systems and Technologies","doi-asserted-by":"publisher","first-page":"391","DOI":"10.1007\/978-981-13-9710-3_41","volume-title":"Advances in Intelligent Information Hiding and Multimedia Signal Processing","author":"Z Zhang","year":"2020","unstructured":"Zhang, Z., Wang, S., Lu, G.: An internal threat detection model based on denoising autoencoders. In: Pan, J.-S., Li, J., Tsai, P.-W., Jain, L.C. (eds.) Advances in Intelligent Information Hiding and Multimedia Signal Processing. SIST, vol. 157, pp. 391\u2013400. Springer, Singapore (2020). https:\/\/doi.org\/10.1007\/978-981-13-9710-3_41"},{"key":"7_CR22","doi-asserted-by":"publisher","first-page":"110757","DOI":"10.1016\/j.comnet.2024.110757","volume":"254","author":"Y Gong","year":"2024","unstructured":"Gong, Y., Cui, S., Liu, S., Jiang, B., Dong, C., Lu, Z.: Graph-based insider threat detection: a survey. Comput. Netw. 254, 110757 (2024)","journal-title":"Comput. Netw."},{"key":"7_CR23","doi-asserted-by":"crossref","unstructured":"Tian, T., Gong, Y., Jiang, B., Liu, J., Feng, H., Lu, Z.: Insider threat detection based on heterogeneous graph neural network. In: 2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp.\u00a0628\u2013635 (2023). ISSN 2324-9013","DOI":"10.1109\/TrustCom60117.2023.00096"},{"key":"7_CR24","doi-asserted-by":"crossref","unstructured":"Jiang, J., et al.: Anomaly detection with graph convolutional networks for insider threat and fraud detection. In: 2019 IEEE Military Communications Conference (MILCOM), MILCOM 2019, pp.\u00a0109\u2013114 (2019). ISSN 2155-7586","DOI":"10.1109\/MILCOM47813.2019.9020760"},{"key":"7_CR25","doi-asserted-by":"crossref","unstructured":"Park, H., Kim, K., Shin, D., Shin, D.: BGP dataset-based malicious user activity detection using machine learning. Information 14(9) (2023)","DOI":"10.3390\/info14090501"},{"key":"7_CR26","doi-asserted-by":"publisher","first-page":"114013","DOI":"10.1109\/ACCESS.2023.3324371","volume":"11","author":"ZQ Wang","year":"2023","unstructured":"Wang, Z.Q., El Saddik, A.: DTITD: an intelligent insider threat detection framework based on digital twin and self-attention based deep learning models. IEEE Access 11, 114013\u2013114030 (2023)","journal-title":"IEEE Access"},{"key":"7_CR27","doi-asserted-by":"crossref","unstructured":"Baghalizadeh-Moghadam, N., Neal, C., Cuppens, F., Cuppens-Boulahia, N.: NLP and neural networks for insider threat detection. In: 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), December 2024 (2024)","DOI":"10.1109\/TrustCom63139.2024.00279"},{"key":"7_CR28","doi-asserted-by":"crossref","unstructured":"Bose, B., Avasarala, B., Tirthapura, S., Chung, Y.-Y., Steiner, D.: Detecting insider threats using radish: a system for real-time anomaly detection in heterogeneous data streams. IEEE Systems J., 1\u201312 (2017)","DOI":"10.1109\/JSYST.2016.2558507"},{"key":"7_CR29","doi-asserted-by":"crossref","unstructured":"Cai, X., et al.: LAN: learning adaptive neighbors for real-time insider threat detection. Trans. Info. For. Sec. 19, 10157\u201310172 (2024)","DOI":"10.1109\/TIFS.2024.3488527"},{"key":"7_CR30","doi-asserted-by":"crossref","unstructured":"Qawasmeh, S.A.-D., AlQahtani, A.A.S.: Beyond firewall: leveraging machine learning for real-time insider threats identification and user profiling. Fut. Internet 17(2) (2025)","DOI":"10.3390\/fi17020093"},{"key":"7_CR31","doi-asserted-by":"crossref","unstructured":"Glasser, J., Lindauer, B.: Bridging the gap: a pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops, pp.\u00a098\u2013104 (2013)","DOI":"10.1109\/SPW.2013.37"},{"key":"7_CR32","doi-asserted-by":"publisher","first-page":"33","DOI":"10.1016\/S0020-0190(00)00122-8","volume":"76","author":"M Schonlau","year":"2000","unstructured":"Schonlau, M., Theus, M.: Detecting masquerades in intrusion detection based on unpopular commands. Inf. Process. Lett. 76, 33\u201338 (2000)","journal-title":"Inf. Process. Lett."},{"key":"7_CR33","series-title":"Lecture Notes in Computer Science","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/978-3-642-23644-0_10","volume-title":"Recent Advances in Intrusion Detection","author":"MB Salem","year":"2011","unstructured":"Salem, M.B., Stolfo, S.J.: Modeling user search behavior for Masquerade detection. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 181\u2013200. Springer, Heidelberg (2011). https:\/\/doi.org\/10.1007\/978-3-642-23644-0_10"},{"key":"7_CR34","first-page":"03","volume":"9","author":"A Harilal","year":"2018","unstructured":"Harilal, A., et al.: The Wolf of SUTD (TWOS): a dataset of malicious insider threat behavior based on a gamified competition. J. Wirel. Mob. Netw. 9, 03 (2018)","journal-title":"J. Wirel. Mob. Netw."},{"issue":"8","key":"7_CR35","doi-asserted-by":"publisher","first-page":"4988","DOI":"10.3390\/app13084988","volume":"13","author":"H Yhdego","year":"2023","unstructured":"Yhdego, H., Paolini, C., Audette, M.: Toward real-time, robust wearable sensor fall detection using deep learning methods: a feasibility study. Appl. Sci. 13(8), 4988 (2023)","journal-title":"Appl. Sci."},{"key":"7_CR36","doi-asserted-by":"publisher","first-page":"07","DOI":"10.1007\/s10462-024-10851-x","volume":"57","author":"Z Zhan","year":"2024","unstructured":"Zhan, Z., Kim, S.-K.: Versatile time-window sliding machine learning techniques for stock market forecasting. Artif. Intell. Rev. 57, 07 (2024)","journal-title":"Artif. Intell. Rev."},{"key":"7_CR37","unstructured":"Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. In: Proceedings of the AAAI Workshop on Artificial Intelligence for Cyber Security (2017)"},{"key":"7_CR38","doi-asserted-by":"crossref","first-page":"123695","DOI":"10.1109\/ACCESS.2023.3247948","volume":"11","author":"M Alshehri","year":"2023","unstructured":"Alshehri, M., Lalitha, V.S.: NLP and neural networks for insider threat detection. IEEE Access 11, 123695\u2013123706 (2023)","journal-title":"IEEE Access"},{"key":"7_CR39","unstructured":"Malhotra, P., Vig, L., Shroff, G., Agarwal, P.: Long short term memory networks for anomaly detection in time series. In: European Symposium on Artificial Neural Networks (ESANN) (2016)"},{"key":"7_CR40","doi-asserted-by":"crossref","unstructured":"Hundman, K., Constantinou, V., Laporte, C., Colwell, I., Soderstrom, T.: Detecting spacecraft anomalies using LSTMs and nonparametric dynamic thresholding. In: Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp.\u00a0387\u2013395 (2018)","DOI":"10.1145\/3219819.3219845"},{"key":"7_CR41","unstructured":"Hamilton, W.L., Ying, R., Leskovec, J.: Inductive representation learning on large graphs. In: Advances in Neural Information Processing Systems, pp.\u00a01024\u20131034 (2017)"},{"key":"7_CR42","unstructured":"Rossi, E., Chamberlain, B.P., Frasca, F., Eynard, D., Monti, F., Bronstein, M.: Temporal graph networks for deep learning on dynamic graphs. arXiv preprint arXiv:2006.10637 (2020)"},{"key":"7_CR43","unstructured":"Fey, M., Lenssen, J.E.: Fast graph representation learning with PyTorch geometric. arXiv preprint arXiv:1903.02428 (2019)"},{"key":"7_CR44","doi-asserted-by":"crossref","unstructured":"Liu, F.T., Ting, K.M., Zhou, Z.-H.: Isolation forest. In: 2008 Eighth IEEE International Conference on Data Mining, pp.\u00a0413\u2013422 (2008)","DOI":"10.1109\/ICDM.2008.17"},{"key":"7_CR45","first-page":"1","volume":"69","author":"SM Kazemi","year":"2020","unstructured":"Kazemi, S.M., et al.: Representation learning for dynamic graphs: a survey. J. Artif. Intell. Res. 69, 1\u201334 (2020)","journal-title":"J. Artif. Intell. Res."},{"key":"7_CR46","unstructured":"Devlin, J., Chang, M.-W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. In: NAACL-HLT (2019)"},{"issue":"4","key":"7_CR47","first-page":"1","volume":"39","author":"FS Li","year":"2021","unstructured":"Li, F.S., Cheng, J., Lin, W., Ou, W., Jiang, Y.: BERT4Rec: sequential recommendation with bidirectional encoder representations from transformer. ACM Trans. Inf. Syst. (TOIS) 39(4), 1\u201336 (2021)","journal-title":"ACM Trans. Inf. Syst. (TOIS)"},{"key":"7_CR48","doi-asserted-by":"publisher","unstructured":"Bishop, C.M. (ed.): Mixture models and EM. In: Pattern Recognition and Machine Learning. ISS, pp. 423\u2013459. Springer, New York (2006). https:\/\/doi.org\/10.1007\/978-0-387-45528-0_9","DOI":"10.1007\/978-0-387-45528-0_9"},{"key":"7_CR49","unstructured":"Zhang, S. Zhang, Z., Ren, P., Ma, J.: Unsupervised anomaly detection via BERT contextual embeddings and isolation-based filtering. IEEE Trans. Depend. Secure Comput. (2022)"}],"container-title":["Lecture Notes in Computer Science","Network and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-981-95-6419-4_7","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,3]],"date-time":"2026-02-03T08:58:12Z","timestamp":1770109092000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-981-95-6419-4_7"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9789819564187","9789819564194"],"references-count":49,"URL":"https:\/\/doi.org\/10.1007\/978-981-95-6419-4_7","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"4 February 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"NSS","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Network and System Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Wuhan","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"China","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 December 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"7 December 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"19","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"nss2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/nsclab.org\/nss-socialsec2025\/","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}