Daily insider threat detection with hybrid TCN transformer architecture.

IF 3.9 2区综合性期刊 Q1 MULTIDISCIPLINARY SCIENCES

Scientific Reports Pub Date : 2025-08-05 DOI:10.1038/s41598-025-12063-x

Xiaoyun Ye, Huangrongbin Cui, Faqin Luo, Jinlong Wang, Xiaoyun Xiong, Wencui Zhang, Jiawei Yu, Wenhao Zhao

{"title":"Daily insider threat detection with hybrid TCN transformer architecture.","authors":"Xiaoyun Ye, Huangrongbin Cui, Faqin Luo, Jinlong Wang, Xiaoyun Xiong, Wencui Zhang, Jiawei Yu, Wenhao Zhao","doi":"10.1038/s41598-025-12063-x","DOIUrl":null,"url":null,"abstract":"<p><p>Internal threats are becoming more common in today's cybersecurity landscape. This is mainly because internal personnel often have privileged access, which can be exploited for malicious purposes. Traditional detection methods frequently fail due to data imbalance and the difficulty of detecting hidden malicious activities, especially when attackers conceal their intentions over extended periods. Most existing internal threat detection systems are designed to identify malicious users after they have acted. They model the behavior of normal employees to spot anomalies. However, detection should shift from targeting users to focusing on discrete work sessions. Relying on post hoc identification is unacceptable for businesses and organizations, as it detects malicious users only after completing their activities and leaving. Detecting threats based on daily sessions has two main advantages: it enables timely intervention before damage escalates and captures context-relevant risk factors. Our research introduces a novel detection framework for single-day employee behavior detection to address these issues. This framework combines the strengths of Temporal Convolutional Networks (TCNs) and the Transformer architecture. The integrated model uses sliding window technology to segment user logs into time series for model input. The TCN component employs causal and dilated convolutions to maintain temporal order and expand the receptive field, enhancing the detection of long-term patterns. The Transformer models global dependencies in sequences, improving the detection of complex long-term behaviors. The model detects anomalies at each time step and achieves a recall rate of [Formula: see text] with a sequence length of 30 days. Experimental results show that this method can accurately detect malicious behavior daily, promptly identify such actions, and effectively mitigate internal threats in complex environments.</p>","PeriodicalId":21811,"journal":{"name":"Scientific Reports","volume":"15 1","pages":"28590"},"PeriodicalIF":3.9000,"publicationDate":"2025-08-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC12325752/pdf/","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Scientific Reports","FirstCategoryId":"103","ListUrlMain":"https://doi.org/10.1038/s41598-025-12063-x","RegionNum":2,"RegionCategory":"综合性期刊","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"MULTIDISCIPLINARY SCIENCES","Score":null,"Total":0}

引用次数: 0

Abstract

Internal threats are becoming more common in today's cybersecurity landscape. This is mainly because internal personnel often have privileged access, which can be exploited for malicious purposes. Traditional detection methods frequently fail due to data imbalance and the difficulty of detecting hidden malicious activities, especially when attackers conceal their intentions over extended periods. Most existing internal threat detection systems are designed to identify malicious users after they have acted. They model the behavior of normal employees to spot anomalies. However, detection should shift from targeting users to focusing on discrete work sessions. Relying on post hoc identification is unacceptable for businesses and organizations, as it detects malicious users only after completing their activities and leaving. Detecting threats based on daily sessions has two main advantages: it enables timely intervention before damage escalates and captures context-relevant risk factors. Our research introduces a novel detection framework for single-day employee behavior detection to address these issues. This framework combines the strengths of Temporal Convolutional Networks (TCNs) and the Transformer architecture. The integrated model uses sliding window technology to segment user logs into time series for model input. The TCN component employs causal and dilated convolutions to maintain temporal order and expand the receptive field, enhancing the detection of long-term patterns. The Transformer models global dependencies in sequences, improving the detection of complex long-term behaviors. The model detects anomalies at each time step and achieves a recall rate of [Formula: see text] with a sequence length of 30 days. Experimental results show that this method can accurately detect malicious behavior daily, promptly identify such actions, and effectively mitigate internal threats in complex environments.

查看原文本刊更多论文

每日内部威胁检测与混合TCN变压器架构。

在当今的网络安全领域，内部威胁变得越来越普遍。这主要是因为内部人员通常有特权访问权限，这可能被恶意利用。传统的检测方法经常因为数据不平衡和难以检测隐藏的恶意活动而失败，特别是当攻击者长时间隐藏其意图时。大多数现有的内部威胁检测系统都是为了在恶意用户采取行动后识别他们。他们模仿正常员工的行为来发现异常。然而，检测应该从针对用户转向专注于离散的工作会话。对于企业和组织来说，依赖于事后识别是不可接受的，因为它只有在恶意用户完成活动并离开后才会检测到恶意用户。基于日常会话检测威胁有两个主要优势：它可以在损害升级之前及时干预，并捕获与环境相关的风险因素。我们的研究引入了一个新的检测框架，用于单日员工行为检测，以解决这些问题。该框架结合了时间卷积网络（tcn）和Transformer架构的优势。集成模型采用滑动窗口技术将用户日志分割成时间序列作为模型输入。TCN组件使用因果和扩张卷积来维持时间秩序和扩大接受野，增强对长期模式的检测。Transformer按顺序为全局依赖关系建模，从而改进了对复杂长期行为的检测。该模型在每个时间步检测异常，并实现了序列长度为30天的召回率[公式：见文本]。实验结果表明，该方法能够准确检测日常恶意行为，及时识别恶意行为，有效缓解复杂环境下的内部威胁。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Scientific Reports Natural Science Disciplines-

CiteScore

7.50

自引率

4.30%

发文量

19567

审稿时长

3.9 months

期刊介绍： We publish original research from all areas of the natural sciences, psychology, medicine and engineering. You can learn more about what we publish by browsing our specific scientific subject areas below or explore Scientific Reports by browsing all articles and collections. Scientific Reports has a 2-year impact factor: 4.380 (2021), and is the 6th most-cited journal in the world, with more than 540,000 citations in 2020 (Clarivate Analytics, 2021). •Engineering Engineering covers all aspects of engineering, technology, and applied science. It plays a crucial role in the development of technologies to address some of the world''s biggest challenges, helping to save lives and improve the way we live. •Physical sciences Physical sciences are those academic disciplines that aim to uncover the underlying laws of nature — often written in the language of mathematics. It is a collective term for areas of study including astronomy, chemistry, materials science and physics. •Earth and environmental sciences Earth and environmental sciences cover all aspects of Earth and planetary science and broadly encompass solid Earth processes, surface and atmospheric dynamics, Earth system history, climate and climate change, marine and freshwater systems, and ecology. It also considers the interactions between humans and these systems. •Biological sciences Biological sciences encompass all the divisions of natural sciences examining various aspects of vital processes. The concept includes anatomy, physiology, cell biology, biochemistry and biophysics, and covers all organisms from microorganisms, animals to plants. •Health sciences The health sciences study health, disease and healthcare. This field of study aims to develop knowledge, interventions and technology for use in healthcare to improve the treatment of patients.