{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T08:11:17Z","timestamp":1773216677863,"version":"3.50.1"},"reference-count":37,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,2,9]],"date-time":"2026-02-09T00:00:00Z","timestamp":1770595200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,2,9]],"date-time":"2026-02-09T00:00:00Z","timestamp":1770595200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100017700","name":"Henan Provincial Science and Technology Research Project","doi-asserted-by":"publisher","award":["No. 252102211040"],"award-info":[{"award-number":["No. 252102211040"]}],"id":[{"id":"10.13039\/501100017700","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>In recent years, insider threat incidents have occurred with increasing frequency, leading to severe data breaches and substantial economic losses. Most existing insider threat detection methods rely primarily on single-modal features, such as system logs and registry data, while failing to fully exploit the rich semantic information embedded in instant messaging and email content of insider users. To address the above issues, we propose FusionITD, a cross-modal insider threat perception enhancement framework based on the fusion of behavioral and semantic features. This framework combines users\u2019 temporal behavioral characteristics such as file operations and login device patterns with the semantic information derived from web browsing and email content. By modeling user behavior baselines from multiple dimensions, FusionITD enables more accurate anomaly detection when deviations from the baseline occur. Firstly, based on the temporal distribution of user behaviors, the behavior data is segmented and aggregated according to the time window to form a user behavior graph. We propose WR-GNN based on graph representation learning to capture temporal behavioral features, and introduce the Focal MSE loss function to address the data imbalance problem caused by sparse abnormal behavior data. Secondly, we propose a retrieval-augmented generation-based semantic analysis algorithm. We use cosine similarity to perform semantic matching and ranking between behavioral contents and historical behaviors. We extract features such as emotion, intention, and focus to achieve fine-grained anomaly detection for user behavior. Finally, we designed an adaptive weighting mechanism based on logistic regression to dynamically integrate the outputs of the previous two parts, enhancing the generalization ability for different threat scenarios. Experimental results conducted on the CERT datasets show that FusionITD outperforms other methods by achieving a 5% increase in AUC, a higher TPR, and a lower false positive rate.<\/jats:p>","DOI":"10.1186\/s42400-026-00555-w","type":"journal-article","created":{"date-parts":[[2026,2,9]],"date-time":"2026-02-09T18:24:53Z","timestamp":1770661493000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["FusionITD: enhanced cross-modal insider threat perception framework via behavior-semantic fusion"],"prefix":"10.1186","volume":"9","author":[{"given":"Lu","family":"Yuan","sequence":"first","affiliation":[]},{"given":"Dexian","family":"Chang","sequence":"additional","affiliation":[]},{"given":"Hao","family":"Hu","sequence":"additional","affiliation":[]},{"given":"Yingchang","family":"Jiang","sequence":"additional","affiliation":[]},{"given":"Heyu","family":"Chang","sequence":"additional","affiliation":[]},{"given":"Liguo","family":"Fang","sequence":"additional","affiliation":[]},{"given":"Yuling","family":"Liu","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,2,9]]},"reference":[{"issue":"12","key":"555_CR1","doi-asserted-by":"publisher","DOI":"10.3390\/app13126986","volume":"13","author":"M Alhamed","year":"2023","unstructured":"Alhamed M, Rahman MMH (2023) A systematic literature review on penetration testing in networks: future research directions. Appl Sci 13(12):6986","journal-title":"Appl Sci"},{"key":"555_CR2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3488527","author":"X Cai","year":"2024","unstructured":"Cai X,\u00a0Wang Y, Xu S, Li H, Zhang Y, Liu Z, Yuan X\u00a0(2024) Lan: Learning adaptive neighbors for real-time insider threat detection. IEEE Trans Inf Forensics Secur. https:\/\/doi.org\/10.1109\/TIFS.2024.3488527","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"555_CR3","doi-asserted-by":"crossref","unstructured":"Chen Q, Zhao H, Li W, Huang P, Ou W (2019) Behavior sequence transformer for e-commerce recommendation in Alibaba. In: Proceedings of the 1st international workshop on deep learning practice for highdimensional sparse data, pp 1\u20134","DOI":"10.1145\/3326937.3341261"},{"key":"555_CR4","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103410","volume":"133","author":"N d\u2019Ambrosio","year":"2023","unstructured":"d\u2019Ambrosio N, Perrone G, Romano SP (2023) Including insider threats into risk management through Bayesian threat graph networks. Comput Secur 133:103410","journal-title":"Comput Secur"},{"key":"555_CR5","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104126","volume":"148","author":"K Fei","year":"2025","unstructured":"Fei K et al (2025) LaAeb: a comprehensive log-text analysis based approach for insider threat detection. Comput Secur 148:104126","journal-title":"Comput Secur"},{"key":"555_CR6","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2024.123533","volume":"249","author":"RG Gayathri","year":"2024","unstructured":"Gayathri RG, Sajjanhar A, Xiang Y (2024) Hybrid deep learning model using SPCAGAN augmentation for insider threat analysis. Expert Syst Appl 249:123533","journal-title":"Expert Syst Appl"},{"key":"555_CR7","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103944","volume":"144","author":"L Goncalves","year":"2024","unstructured":"Goncalves L, Zanchettin C (2024) Detecting abnormal logins by discovering anomalous links via graph transformers. Comput Secur 144:103944","journal-title":"Comput Secur"},{"key":"555_CR8","doi-asserted-by":"crossref","unstructured":"Greitzer FL, Kangas LJ, Noonan CF, Dalton AC (2010) Identifying at-risk employees: a behavioral model for predicting potential insider threats. No. PNNL-19665. Pacific Northwest National Lab.(PNNL), Richland, WA (United States)","DOI":"10.2172\/1000159"},{"issue":"1","key":"555_CR9","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-025-00503-0","volume":"8","author":"Y Jiang","year":"2025","unstructured":"Jiang Y, Hu H, Li Y et al (2025) A zero-shot self-improving NER method for cyber threat intelligence via knowledge injection. Cybersecurity 8(1):116","journal-title":"Cybersecurity"},{"issue":"1","key":"555_CR10","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1109\/TNSM.2020.2967721","volume":"17","author":"DC Le","year":"2020","unstructured":"Le DC, Zincir-Heywood N, Heywood MI (2020) Analyzing data granularity levels for insider threat detection using machine learning. IEEE Trans Netw Serv Manag 17(1):30\u201344","journal-title":"IEEE Trans Netw Serv Manag"},{"issue":"2","key":"555_CR11","doi-asserted-by":"publisher","first-page":"503","DOI":"10.1109\/JSYST.2015.2438442","volume":"11","author":"PA Legg","year":"2015","unstructured":"Legg PA,\u00a0Buckley O, Goldsmith M, Creese S (2015) Automated insider threat detection system using user and role-based profile assessment. IEEE Syst J 11(2):503\u2013512","journal-title":"IEEE Syst J"},{"key":"555_CR12","doi-asserted-by":"publisher","first-page":"1638","DOI":"10.1109\/TIFS.2023.3245413","volume":"18","author":"X Li","year":"2023","unstructured":"Li X,\u00a0Li X, Jia J, Li L, Yuan J, Gao Y, Yu S (2023) A high accuracy and adaptive anomaly detection model with dual-domain graph convolutional network for insider threat detection. IEEE Trans Inf Forensics Secur 18:1638\u20131652","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"555_CR13","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2024.3430106","author":"X Li","year":"2024","unstructured":"Li X, Li L, Li X, Cai B, Jia J, Gao Y, Yu S (2024) GMFITD: graph meta-learning for effective few-shot insider threat detection. IEEE Trans Inf Forensics Secur. https:\/\/doi.org\/10.1109\/TIFS.2024.3430106","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"555_CR14","unstructured":"Li C, Zhu Z, He J, Zhang X (2025) RedChronos: A large language model-based log analysis system for insider threat detection in enterprises. arXiv preprint arXiv:2503.02702"},{"key":"555_CR15","doi-asserted-by":"publisher","DOI":"10.1184\/R1\/12841247.v1","volume-title":"Insider threat test dataset","author":"B Lindauer","year":"2020","unstructured":"Lindauer B (2020) Insider threat test dataset. Carnegie Mellon University, Dataset. https:\/\/doi.org\/10.1184\/R1\/12841247.v1"},{"key":"555_CR16","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1253","author":"B Liu","year":"2018","unstructured":"Liu B, Zhang L, Wang S (2018) Deep learning for sentiment analysis: a survey. Wires Data Min Knowl Discov. https:\/\/doi.org\/10.1002\/widm.1253","journal-title":"Wires Data Min Knowl Discov"},{"key":"555_CR17","doi-asserted-by":"crossref","unstructured":"Liu F, Wen Y, Zhang D, Jiang X, Xing X, Meng D (2019) Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security","DOI":"10.1145\/3319535.3363224"},{"key":"555_CR18","doi-asserted-by":"crossref","unstructured":"Liu Y, Tao S, Meng W, Yao F, Zhao X, Yang H (2024) Logprompt: prompt engineering towards zero-shot and interpretable log analysis. In: Proceedings of the 2024 IEEE\/ACM 46th international conference on software engineering: companion proceedings","DOI":"10.1145\/3639478.3643108"},{"key":"555_CR19","doi-asserted-by":"crossref","unstructured":"Ma Q, Nidhi R (2020) DANTE: predicting insider threat using LSTM on system logs. In: 2020 IEEE 19th international conference on trust, security and privacy in computing and communications (TrustCom), IEEE","DOI":"10.1109\/TrustCom50675.2020.00153"},{"key":"555_CR20","doi-asserted-by":"crossref","unstructured":"Ma H, Ghojogh B, Samad MN, Zheng D, Crowley M (2020) Isolation Mondrian forest for batch and online anomaly detection. 2020 IEEE international conference on systems, man, and cybernetics (SMC). IEEE","DOI":"10.1109\/SMC42975.2020.9283073"},{"key":"555_CR21","unstructured":"Mao A, Mehryar M, Yutao Z (2023) Cross-entropy loss functions: theoretical analysis and applications. In: International conference on machine learning, pmlr"},{"key":"555_CR22","doi-asserted-by":"crossref","unstructured":"Milajerdi SM, Gjomemo R, Eshete B, Sekar R, Venkatakrishnan VN (2019) Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE symposium on security and privacy (SP). IEEE","DOI":"10.1109\/SP.2019.00026"},{"key":"555_CR23","doi-asserted-by":"crossref","unstructured":"Min D, Feifei L, Guineng Z, Vivek S (2017) DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: Proceedings of the 2017 ACM SIGSAC conference on computer and communications security (CCS\u201917), ACM, New York, NY, USA, pp 1285\u20131298","DOI":"10.1145\/3133956.3134015"},{"issue":"3","key":"555_CR24","doi-asserted-by":"publisher","first-page":"436","DOI":"10.1111\/j.1467-8640.2012.00460.x","volume":"29","author":"SM Mohammad","year":"2013","unstructured":"Mohammad SM, Turney PD (2013) Crowdsourcing a word\u2013emotion association lexicon. Comput Intell 29(3):436\u2013465","journal-title":"Comput Intell"},{"key":"555_CR25","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2025.111748","author":"Y Peng","year":"2025","unstructured":"Peng Y et al (2025) LLM4Game: multi-agent reinforcement learning with knowledge injection for dynamic defense resource allocation in cloud storage. Comput Netw. https:\/\/doi.org\/10.1016\/j.comnet.2025.111748","journal-title":"Comput Netw"},{"key":"555_CR26","unstructured":"Ponemon Institute (2025). 2025 Ponemon insider threat report. Dtex systems"},{"issue":"5","key":"555_CR27","doi-asserted-by":"publisher","first-page":"4495","DOI":"10.1109\/TDSC.2024.3353929","volume":"21","author":"KC Roy","year":"2024","unstructured":"Roy KC, Chen G (2024) GraphCH: a deep framework for assessing cyber-human aspects in insider threat detection. IEEE Trans Depend Secure Comput 21(5):4495\u20134509","journal-title":"IEEE Trans Depend Secure Comput"},{"key":"555_CR28","doi-asserted-by":"crossref","unstructured":"Ruohonen J, Mubashrah S (2025) What do we know about the psychology of insider threats?. International conference on digital forensics and cyber crime, Springer, Cham","DOI":"10.1007\/978-3-031-89363-6_11"},{"key":"555_CR29","doi-asserted-by":"publisher","first-page":"351","DOI":"10.1016\/j.eswa.2019.05.043","volume":"135","author":"C Soh","year":"2019","unstructured":"Soh C, Yu S, Narayanan A, Duraisamy S, Chen L (2019) Employee profiling via aspect-based sentiment and network for insider threats detection. Expert Syst Appl 135:351\u2013361","journal-title":"Expert Syst Appl"},{"key":"555_CR30","unstructured":"Song S, Zhang Y, Gao N (2025) Confront insider threat: precise anomaly detection in behavior logs based on LLM fine-tuning. Proceedings of the 31st international conference on computational linguistics"},{"key":"555_CR31","unstructured":"Song C, Ma L, Zheng J, Liao J, Kuang H, Yang L (2024) Audit-llm: multi-agent collaboration for log-based insider threat detection. arXiv preprint arXiv:2408.08902"},{"issue":"1","key":"555_CR32","doi-asserted-by":"publisher","DOI":"10.1186\/s42400-024-00321-w","volume":"8","author":"T Tian","year":"2025","unstructured":"Tian T,\u00a0Zhang C, Jiang B, Feng H, Lu Z (2025) Insider threat detection for specific threat scenarios. Cybersecurity 8(1):17","journal-title":"Cybersecurity"},{"issue":"3","key":"555_CR33","doi-asserted-by":"publisher","first-page":"3717","DOI":"10.1109\/TNSM.2022.3222635","volume":"20","author":"J Xiao","year":"2022","unstructured":"Xiao J,\u00a0Yang L, Zhong F, Wang X, Chen H, Li D\u00a0(2022) Robust anomaly-based insider threat detection using graph neural network. IEEE Trans Netw Service Manag 20(3):3717\u20133733","journal-title":"IEEE Trans Netw Service Manag"},{"issue":"2","key":"555_CR34","doi-asserted-by":"publisher","first-page":"774","DOI":"10.1109\/TNSE.2024.3519155","volume":"12","author":"J Xiao","year":"2024","unstructured":"Xiao F, Chen S, Chen S, Ma Y, He H, Yang J (2024) SENTINEL: insider threat detection based on multi-timescale user behavior interaction graph learning. IEEE Trans Netw Sci Eng 12(2):774\u2013790","journal-title":"IEEE Trans Netw Sci Eng"},{"key":"555_CR35","doi-asserted-by":"crossref","unstructured":"Yun S, Enrico M, Pierre AV, Gianluca S (2018) Tiresias: predicting security events through deep learning. In: Proceedings of the 2018 ACM SIGSAC conference on computer and communications security (CCS\u201918), ACM, New York, NY, USA, 592\u2013605","DOI":"10.1145\/3243734.3243811"},{"key":"555_CR36","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2025.114064","volume":"326","author":"Z Zhang","year":"2025","unstructured":"Zhang Z,\u00a0Li S, Zhang L, Ye J, Hu C, Yan L (2025) LLM-LADE: Large language model-based log anomaly detection with explanation. Knowl Based Syst 326:114064","journal-title":"Knowl Based Syst"},{"issue":"9","key":"555_CR37","doi-asserted-by":"publisher","first-page":"10954","DOI":"10.1109\/TII.2024.3393491","volume":"20","author":"X Zhu","year":"2024","unstructured":"Zhu X, Dong J, Qi J, Zhou Z, Dong Z, Sun Y, Wang M (2024) AUTH: an adversarial autoencoder based unsupervised insider threat detection scheme for multisource logs. IEEE Trans Ind Inform 20(9):10954\u201310965","journal-title":"IEEE Trans Ind Inform"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-026-00555-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-026-00555-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-026-00555-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T10:26:34Z","timestamp":1773138394000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-026-00555-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,9]]},"references-count":37,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["555"],"URL":"https:\/\/doi.org\/10.1186\/s42400-026-00555-w","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,9]]},"assertion":[{"value":"4 November 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"26 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"5 March 2026","order":5,"name":"change_date","label":"Change Date","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"Update","order":6,"name":"change_type","label":"Change Type","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"Supplementary information was inadvertently included in the original version of this article and has been removed.","order":7,"name":"change_details","label":"Change Details","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Not applicable. This article does not contain any studies involving human participants.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethics approval and consent to participate"}},{"value":"The authors have no relevant financial or non-financial interests to disclose.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"119"}}