{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T16:04:08Z","timestamp":1774454648118,"version":"3.50.1"},"reference-count":23,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2025,3,9]],"date-time":"2025-03-09T00:00:00Z","timestamp":1741478400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,3,9]],"date-time":"2025-03-09T00:00:00Z","timestamp":1741478400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Insider threats pose significant challenges to network security due to their destructive and covert nature, often resulting in substantial losses for enterprises. Traditional methods mainly analyze user behavior patterns or convert behaviors into time sequences for further analysis. However, existing detection methods primarily focus on identifying abnormal users or behaviors, lacking the capability to pinpoint specific threats. Additionally, these methods struggle to accurately identify long-distance dependencies in behavior sequences, frequently increasing false positives. To address these issues, we introduce a scenario-oriented insider threat detection model. This model targets three specific threat scenarios-privilege abuse, identity theft, and data leakage-by analyzing user behavior patterns, extracting detailed behavioral characteristics, and constructing behavior sequences. Firstly, this paper serializes user behavior daily and vectorizes it using one-hot encoding. Then, it introduces contextual characteristic information and reconstructs the background of abnormal behavior through behavior vectorization, providing a comprehensive description of user behavior characteristics. This approach addresses the issue of behavior isolation, thereby improving the accuracy and robustness of anomaly detection. Subsequently, a time series analysis model based on a multi-head attention mechanism is employed to analyze long-distance dependencies in behavior sequences. The multi-head attention mechanism simultaneously attends to multiple positions in the behavior sequence, capturing potential correlations between behaviors and user behavior patterns. This mechanism can analyze local information and obtain long-distance dependencies, providing depth feature representation for anomaly detection. Ultimately, we achieve the goal of classifying abnormal behavior sequences. We conduct comprehensive tests on the CERT dataset, demonstrating that our method outperforms traditional deep learning approaches (LSTM, GNN, and GCN) in detecting abnormal sequences. Compared to the best results among the baseline methods, it shows an improvement in accuracy of approximately 2% for privilege abuse, 5% for identity theft, and 2% for data leakage.<\/jats:p>","DOI":"10.1186\/s42400-024-00321-w","type":"journal-article","created":{"date-parts":[[2025,3,9]],"date-time":"2025-03-09T03:01:41Z","timestamp":1741489301000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":11,"title":["Insider threat detection for specific threat scenarios"],"prefix":"10.1186","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0009-0003-8903-0491","authenticated-orcid":false,"given":"Tian","family":"Tian","sequence":"first","affiliation":[]},{"given":"Chen","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Bo","family":"Jiang","sequence":"additional","affiliation":[]},{"given":"Huamin","family":"Feng","sequence":"additional","affiliation":[]},{"given":"Zhigang","family":"Lu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,3,9]]},"reference":[{"key":"321_CR1","doi-asserted-by":"crossref","unstructured":"Cao C, Chen Z, Caverlee J, Tang L-A, Luo C, Li Z (2018) Behavior-based community detection: application to host assessment in enterprise information networks. In: Proceedings of the 27th ACM international conference on information and knowledge management, pp. 1977\u20131985","DOI":"10.1145\/3269206.3272022"},{"key":"321_CR2","unstructured":"CERT: CERT dataset. https:\/\/www.sei.cmu.edu\/our-work\/insider-threat\/"},{"key":"321_CR3","doi-asserted-by":"publisher","unstructured":"Dixit N, Gupta R, Yadav P (2023) Insider threat classification using KNN machine-learning technique. In: 2023 IEEE international conference on contemporary computing and communications (InC4), vol. 1, pp. 1\u20135. https:\/\/doi.org\/10.1109\/InC457730.2023.10263010","DOI":"10.1109\/InC457730.2023.10263010"},{"key":"321_CR4","unstructured":"GURUCUL: 2023 insider threat report, 1\u20132023 (2023)"},{"key":"321_CR5","doi-asserted-by":"publisher","first-page":"84","DOI":"10.1016\/j.isatra.2023.06.030","volume":"141","author":"W Hong","year":"2023","unstructured":"Hong W, Yin J, You M, Wang H, Cao J, Li J, Liu M, Man C (2023) A graph empowered insider threat detection framework based on daily activities. ISA Trans 141:84\u201392. https:\/\/doi.org\/10.1016\/j.isatra.2023.06.030","journal-title":"ISA Trans"},{"issue":"1","key":"321_CR6","first-page":"118","volume":"95","author":"M Iansiti","year":"2017","unstructured":"Iansiti M, Lakhani KR et al (2017) The truth about blockchain. Harvard Bus Rev 95(1):118\u2013127","journal-title":"Harvard Bus Rev"},{"key":"321_CR7","doi-asserted-by":"publisher","unstructured":"Ikany J, Jazri H (2019) A symptomatic framework to predict the risk of insider threats. In: 2019 international conference on advances in big data, computing and data communication systems (icABCD), pp. 1\u20135 . https:\/\/doi.org\/10.1109\/ICABCD.2019.8851020","DOI":"10.1109\/ICABCD.2019.8851020"},{"key":"321_CR8","unstructured":"Le DC, Nur\u00a0Zincir-Heywood A (2019) Machine learning based insider threat modelling and detection. In: 2019 IFIP\/IEEE symposium on integrated network and service management (IM), pp. 1\u20136"},{"key":"321_CR9","doi-asserted-by":"publisher","first-page":"1638","DOI":"10.1109\/TIFS.2023.3245413","volume":"18","author":"X Li","year":"2023","unstructured":"Li X, Li X, Jia J, Li L, Yuan J, Gao Y, Yu S (2023) A high accuracy and adaptive anomaly detection model with dual-domain graph convolutional network for insider threat detection. IEEE Trans Inf Forensics Secur 18:1638\u20131652. https:\/\/doi.org\/10.1109\/TIFS.2023.3245413","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"321_CR10","doi-asserted-by":"publisher","unstructured":"Li Y, Su Y (2023) The insider threat detection method of university website clusters based on machine learning. In: 2023 6th international conference on artificial intelligence and big data (ICAIBD), pp. 560\u2013565. https:\/\/doi.org\/10.1109\/ICAIBD57115.2023.10206282","DOI":"10.1109\/ICAIBD57115.2023.10206282"},{"key":"321_CR11","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1155\/2018\/5906368","volume":"2018","author":"O Lo","year":"2018","unstructured":"Lo O, Buchanan WJ, Griffiths P, Macfarlane R (2018) Distance measurement methods for improved insider threat detection. Secur Commun Netw 2018:1\u201318","journal-title":"Secur Commun Netw"},{"key":"321_CR12","doi-asserted-by":"publisher","unstructured":"Ma Q, Rastogi N (2020) Dante: predicting insider threat using LSTM on system logs. In: 2020 IEEE 19th international conference on trust, security and privacy in computing and communications (TrustCom), pp. 1151\u20131156 . https:\/\/doi.org\/10.1109\/TrustCom50675.2020.00153","DOI":"10.1109\/TrustCom50675.2020.00153"},{"key":"321_CR13","doi-asserted-by":"publisher","unstructured":"Mittal A, Garg U (2023) Design and analysis of insider threat detection and prediction system using machine learning techniques. In: 2023 fifth international conference on electrical, computer and communication technologies (ICECCT), pp. 1\u20138. https:\/\/doi.org\/10.1109\/ICECCT56650.2023.10179686","DOI":"10.1109\/ICECCT56650.2023.10179686"},{"key":"321_CR14","doi-asserted-by":"publisher","unstructured":"Moore AP, Cassidy TM, Theis MC, Bauer D, Rousseau DM, Moore SB (2018) Balancing organizational incentives to counter insider threat. In: 2018 ieee security and privacy workshops (SPW), pp. 237\u2013246. https:\/\/doi.org\/10.1109\/SPW.2018.00039","DOI":"10.1109\/SPW.2018.00039"},{"issue":"2","key":"321_CR15","first-page":"73","volume":"8","author":"M Payri","year":"2013","unstructured":"Payri M, Cohn M, Shaw IR (2013) How often is employee anger an insider risk II detecting and measuring negative sentiment versus insider risk in digital communications comparison between human raters and psycholinguistic software. J Dig Forensics Secur Law JDFSL 8(2):73","journal-title":"J Dig Forensics Secur Law JDFSL"},{"key":"321_CR16","unstructured":"Ponemon (2023) 2023 cost of insider risk global report, 360\u2013202301"},{"key":"321_CR17","doi-asserted-by":"publisher","unstructured":"Rauf U, Wei Z, Mohsen F (2023) Employee watcher: a machine learning-based hybrid insider threat detection framework. In: 2023 7th cyber security in networking conference (CSNet), pp. 39\u201345 . https:\/\/doi.org\/10.1109\/CSNet59123.2023.10339777","DOI":"10.1109\/CSNet59123.2023.10339777"},{"key":"321_CR18","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3353929","author":"KC Roy","year":"2024","unstructured":"Roy KC, Chen G (2024) Graphch: a deep framework for assessing cyber-human aspects in insider threat detection. IEEE Trans Dependable Secur Comput. https:\/\/doi.org\/10.1109\/TDSC.2024.3353929","journal-title":"IEEE Trans Dependable Secur Comput"},{"key":"321_CR19","doi-asserted-by":"publisher","unstructured":"Sharma B, Pokharel P, Joshi B (2020) User behavior analytics for anomaly detection using lstm autoencoder - insider threat detection. In: Proceedings of the 11th international conference on advances in information technology. IAIT \u201920. Association for Computing Machinery. https:\/\/doi.org\/10.1145\/3406601.3406610","DOI":"10.1145\/3406601.3406610"},{"key":"321_CR20","unstructured":"Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, Gomez AN, Kaiser \u0141, Polosukhin I (2017) Attention is all you need. In: Advances in neural information processing systems, 30"},{"issue":"1","key":"321_CR21","doi-asserted-by":"publisher","first-page":"451","DOI":"10.1109\/TDSC.2021.3135639","volume":"20","author":"M Villarreal-Vasquez","year":"2023","unstructured":"Villarreal-Vasquez M, Modelo-Howard G, Dube S, Bhargava B (2023) Hunting for insider threats using LSTM-based anomaly detection. IEEE Trans Dependable Secur Comput 20(1):451\u2013462. https:\/\/doi.org\/10.1109\/TDSC.2021.3135639","journal-title":"IEEE Trans Dependable Secur Comput"},{"key":"321_CR22","doi-asserted-by":"publisher","first-page":"114013","DOI":"10.1109\/ACCESS.2023.3324371","volume":"11","author":"ZQ Wang","year":"2023","unstructured":"Wang ZQ, El Saddik A (2023) Dtitd: an intelligent insider threat detection framework based on digital twin and self-attention based deep learning models. IEEE Access 11:114013\u2013114030. https:\/\/doi.org\/10.1109\/ACCESS.2023.3324371","journal-title":"IEEE Access"},{"key":"321_CR23","doi-asserted-by":"publisher","unstructured":"Zhu D, Huang X, Li N, Sun H, Liu M, Liu J (2022) Rap-net: a resource access pattern network for insider threat detection. In: 2022 international joint conference on neural networks (IJCNN), pp. 1\u20138. https:\/\/doi.org\/10.1109\/IJCNN55064.2022.9892183","DOI":"10.1109\/IJCNN55064.2022.9892183"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00321-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00321-w\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00321-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,3,9]],"date-time":"2025-03-09T03:01:48Z","timestamp":1741489308000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00321-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,3,9]]},"references-count":23,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2025,12]]}},"alternative-id":["321"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00321-w","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,3,9]]},"assertion":[{"value":"1 May 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"25 August 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 March 2025","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"We declare that we have no financial, personal, or professional interests that could be construed to have influenced the work presented in this manuscript. No competing interests exist, and the research was conducted in the absence of any commercial or financial relationships that could be viewed as a potential conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interest"}}],"article-number":"17"}}