Generative Agent-Based Modeling with Large Language Models for insider threat detection

IF 7.5 2区计算机科学 Q1 AUTOMATION & CONTROL SYSTEMS

Engineering Applications of Artificial Intelligence Pub Date : 2025-06-19 DOI:10.1016/j.engappai.2025.111343

Antonino Ferraro , Gian Marco Orlando , Diego Russo

{"title":"Generative Agent-Based Modeling with Large Language Models for insider threat detection","authors":"Antonino Ferraro , Gian Marco Orlando , Diego Russo","doi":"10.1016/j.engappai.2025.111343","DOIUrl":null,"url":null,"abstract":"<div><div>Insider threats pose a critical challenge in cybersecurity, as individuals within organizations misuse legitimate access to compromise sensitive systems and data. Traditional detection methods often struggle with the complexity of such threats, while Deep Learning (DL) approaches face issues like overfitting and lack of interpretability. To address these limitations, we propose a Generative Agent-Based Modeling (GABM) framework that integrates Large Language Models (LLMs) with a hierarchical multi-agent system.</div><div>Our framework employs Specialized Agents to process categorized log files and generate detailed reports, which are synthesized by a Supervisor Agent for final activity classification. We validated this approach on both network-centric (PicoDomain) and behavior-rich (CERT r5.2) datasets, demonstrating its ability to handle diverse logs, model complex threats, and generalize across insider risk scenarios.</div><div>The framework outperformed existing baselines, prioritizing high recall to minimize false negatives—crucial in cybersecurity contexts. While precision was comparatively lower, this trade-off supports early threat detection. An ablation study highlighted the importance of the Supervisor Agent, whose removal led to a significant drop in performance and increased false positives.</div><div>These results demonstrate the potential of LLM-powered hierarchical multi-agent frameworks for scalable, interpretable, and reliable insider threat detection. Our contributions include the integration of GABM and LLMs, a hierarchical system for log analysis, and the use of Chain-of-Thought reasoning for enhanced interpretability.</div></div>","PeriodicalId":50523,"journal":{"name":"Engineering Applications of Artificial Intelligence","volume":"157 ","pages":"Article 111343"},"PeriodicalIF":7.5000,"publicationDate":"2025-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Engineering Applications of Artificial Intelligence","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0952197625013454","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"AUTOMATION & CONTROL SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Insider threats pose a critical challenge in cybersecurity, as individuals within organizations misuse legitimate access to compromise sensitive systems and data. Traditional detection methods often struggle with the complexity of such threats, while Deep Learning (DL) approaches face issues like overfitting and lack of interpretability. To address these limitations, we propose a Generative Agent-Based Modeling (GABM) framework that integrates Large Language Models (LLMs) with a hierarchical multi-agent system.

Our framework employs Specialized Agents to process categorized log files and generate detailed reports, which are synthesized by a Supervisor Agent for final activity classification. We validated this approach on both network-centric (PicoDomain) and behavior-rich (CERT r5.2) datasets, demonstrating its ability to handle diverse logs, model complex threats, and generalize across insider risk scenarios.

The framework outperformed existing baselines, prioritizing high recall to minimize false negatives—crucial in cybersecurity contexts. While precision was comparatively lower, this trade-off supports early threat detection. An ablation study highlighted the importance of the Supervisor Agent, whose removal led to a significant drop in performance and increased false positives.

These results demonstrate the potential of LLM-powered hierarchical multi-agent frameworks for scalable, interpretable, and reliable insider threat detection. Our contributions include the integration of GABM and LLMs, a hierarchical system for log analysis, and the use of Chain-of-Thought reasoning for enhanced interpretability.

查看原文本刊更多论文

基于生成代理的大型语言模型内部威胁检测建模

内部威胁对网络安全构成了重大挑战，因为组织内部的个人滥用合法访问权限来破坏敏感系统和数据。传统的检测方法往往难以应对此类威胁的复杂性，而深度学习（DL）方法则面临过拟合和缺乏可解释性等问题。为了解决这些限制，我们提出了一个基于生成代理的建模（GABM）框架，该框架将大型语言模型（llm）与分层多代理系统集成在一起。我们的框架使用Specialized Agent来处理分类日志文件并生成详细的报告，这些报告由Supervisor Agent合成，用于最终的活动分类。我们在以网络为中心的（PicoDomain）和行为丰富的（CERT r5.2）数据集上验证了这种方法，展示了它处理各种日志、模拟复杂威胁和概括内部风险场景的能力。该框架优于现有的基线，优先考虑高召回率，以最大限度地减少误报——这在网络安全环境中至关重要。虽然精度相对较低，但这种权衡支持早期威胁检测。消融研究强调了Supervisor Agent的重要性，移除Supervisor Agent会导致性能显著下降和假阳性增加。这些结果证明了llm支持的分层多代理框架在可扩展、可解释和可靠的内部威胁检测方面的潜力。我们的贡献包括GABM和llm的集成，日志分析的分层系统，以及使用思维链推理来增强可解释性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Engineering Applications of Artificial Intelligence 工程技术-工程：电子与电气

CiteScore

9.60

自引率

10.00%

发文量

505

审稿时长

68 days

期刊介绍： Artificial Intelligence (AI) is pivotal in driving the fourth industrial revolution, witnessing remarkable advancements across various machine learning methodologies. AI techniques have become indispensable tools for practicing engineers, enabling them to tackle previously insurmountable challenges. Engineering Applications of Artificial Intelligence serves as a global platform for the swift dissemination of research elucidating the practical application of AI methods across all engineering disciplines. Submitted papers are expected to present novel aspects of AI utilized in real-world engineering applications, validated using publicly available datasets to ensure the replicability of research outcomes. Join us in exploring the transformative potential of AI in engineering.