Attention-driven fusion of sequential and graph neural models for insider threat detection in UEBA
摘要
Insider threats remain among the most critical challenges in cybersecurity, as malicious or compromised employees can bypass traditional defences and cause disproportionate damage to organizations. Detecting such threats is difficult because anomalous behaviour is often subtle, context-dependent, and concealed within vast volumes of normal user activity. Conventional anomaly detection techniques suffer from high false positive rates and limited ability to capture both temporal and relational patterns of behavior, which constrains their operational utility in Security Operations Centers (SOCs). This study presents a hybrid User and Entity Behavior Analytics framework that integrates Transformer-based sequence modeling with graph neural networks (GNNs) to simultaneously capture temporal workflows and relational dependencies. Using the CERT Insider Threat Dataset, raw multi-source logs are sessionized and transformed into dense event representations combining categorical actions, resource identifiers, and normalized numerical attributes. A Transformer encoder models long-range event dependencies, while a GNN encodes user–resource interactions, their outputs are fused and evaluated via anomaly scoring, with explainability mechanisms providing interpretable SOC alerts. Experimental evaluation demonstrates that the proposed model achieves 97.9% accuracy, 0.88 F1-score, and 0.99 AUC, reducing false positives to 11 per 1000 sessions and lowering detection latency to 1.9 h. These results establish that fusing sequential and relational perspectives yields a robust, accurate, and interpretable solution for insider threat detection in enterprise environments.