1. Introduction
Insider threats are still among the most complex and destructive issues faced by enterprise cybersecurity [
1,
2]. They emanate from the same people who have valid access to the systems and data that can then potentially cause loss of information inside. Through intent or negligence, insiders often misuse authorized access points for exfiltration, operation interruption, or asset compromise. Empirical evidence indicates that insider attacks tend to cause greater financial, operational, and reputational damage than those launched by outsiders. This is particularly true because these attacks are often subtle and take longer to identify [
1,
3,
4]. Typical insider-threat detection methods are very reliant on rule-based systems, signature matching, and threshold-based anomaly discovery. Traditional insider-threat detection approaches rely heavily on rule-based systems, signature matching, and threshold-driven anomaly detection. While these techniques can identify explicit policy violations, they are limited in their ability to capture subtle, context-dependent, and evolving behavioral deviations [
1,
4,
5]. In contemporary enterprise environments, where remote work is increasingly standard, cloud is ubiquitous, and access is frequently dynamic, static techniques result in higher false positives and decreased analyst confidence. Rule-based systems are harder to maintain and update in these environments, making them inefficient. Recent developments in AI and ML have brought more flexible methods to model user behavior in diverse enterprise data [
6,
7,
8]. By learning the behavioral baselines and detecting the time-varying deviation of behavior, techniques such as anomaly detection, deep learning, and the sequential model can reveal both known and new insider activities. Sequence-based models like LSTM and autoencoders effectively capture temporal dependencies and gradual behavioral drift [
7,
9,
10]. Despite these progressions, however, existing frameworks continue to have significant weaknesses. The first point is that many approaches are based on single-modality data (i.e., network traffic) while not capitalizing on complementary insights from multimodal telemetry (email, authentication logs, web behaviors, and file access events). Second, many AI-based frameworks work in black-box models, leading to little interpretability and thus affecting analyst trust and compliance with the emerging explainable AI (XAI) expectations [
3,
5,
11]. Third, existing detection systems are primarily focused on the identification of anomalies without automated response mechanisms; a disconnect exists between detection and remediation mechanisms. A continued methodological limitation in the literature is the absence of systematic evaluations regarding feature redundancy, distinctions between static and sequential modeling approaches, and assessments of explainability robustness and model stability.
This paper introduces a concise, interpretable, and practical AI-based framework for detecting enterprise insider threats. The structure we propose combines multi-modal behavioral telemetry into a unified representation and combines unsupervised anomaly detection methodologies with sequential deep-learning models to learn both stationary and temporal behavior changes in users. While classical supervised approaches rely heavily on labeled insider events, AIB-ITD is an anomaly-driven approach that allows for the detection of both known and novel threats. Besides detection, AIB-ITD utilizes SHapley Additive exPlanations (SHAP) to ensure feature-level interpretability, which helps analysts to comprehend the thinking behind each assessment. The AIB-ITD framework tackles redundancy in feature correlation, compares static and sequential models, and analyzes explainability stability to enhance rigor. In addition, the AIB-ITD framework presents the ARPC tool that converts risk scores into actionable mitigation stages so that least-privilege policies may now be enforced across enterprise systems like SIEM, SOAR, and IAM at near real time in a way that preserves privacy.
The main contributions of this work can be summarized as follows:
A hybrid insider-threat detection AIB-ITD framework that integrates multimodal data fusion with unsupervised and sequential modeling techniques.
An explainable AI component using SHAP to provide transparent, feature-level risk attribution.
A comprehensive evaluation approach incorporating feature correlation analysis, model comparison, and explainability stability assessment.
An automated response mechanism that operationalizes detection outcomes through dynamic privilege containment.
Unlike prior research, which deals solely with detection, explanation, or response independently, AIB-ITD is one of the most integrated operational frameworks that combines anomaly detection, explainability, and automated containment in an enterprise architecture. The rest of this analysis is presented as follows.
Section 2 discusses relevant work in insider-threat detection and explainable AI. The paper introduces the AIB-ITD framework in
Section 3.
Section 4 outlines the research methodology and mathematical formulation. Experimental results and analyses are described in
Section 5. Finally, limitations, future work, and conclusions are presented in
Section 6 and
Section 7.
2. Literature Review
Early research on insider-threat detection primarily leveraged rule-based and statistical models that monitored predefined factors (e.g., abnormal login behavior, excessive file transfers, and explicit policy violations) [
1,
4,
12]. These methods offered transparency and efficiency but were limited by their dependence on set rules and past attack patterns. Consequently, they tend to generate high false-positive rates, as well as fail when uncovering stealthy insider behavior that emulates legitimate user activity. In the context of cloud-based, mobile, and hybrid infrastructures for enterprise environments, the drawbacks of traditional approaches have become clearer. To tackle such problems, the trend in academia has been to incorporate machine learning (ML) and deep learning (DL) to model user behavior in a data-oriented manner [
6,
13]. Such approaches allow the identification of anomalies by learning behavioral baselines and characterizing deviations along various axes. Sequential models, especially LSTM network-based and autoencoder-based models, are promising for predicting temporal dependencies in user behaviors [
7,
9]. The models can infer multi-stage insider actions such as reconnaissance, privilege escalation, and data exfiltration through temporal event patterns. Many sequence-based methods require fixed scenarios or a limited training set for unknown insider techniques. For the detection of unknown or zero-day insider threats, the hybrid supervised classification combined with unsupervised anomaly detection schemes is introduced [
6,
14]. These methods increase the robustness of the model with labeled data for known attack patterns and anomaly detection for novel behaviors. While hybrid models offer considerable strengths in various domains, much of the current literature yields binary outputs lacking substantive context, rendering them insufficient for operational security environments. Transformer-based architectures and attention mechanisms have also been proposed for modeling long-range dependencies in behavioral data [
13,
15]. Although these models exhibit high robustness for network intrusion detection, they are often tested over single-modality data (packet-level traffic) and do not leverage multimodal enterprise telemetry relevant to insider threat contexts for analysis purposes. Graph-based methods offer another route in insider-threat detection research. These approaches establish the connections between users, devices, and resources through graph structures and analyze anomalous interactions [
9,
16]. Federated graph neural networks are also proposed to allow collaborative detection while preserving data privacy [
17]. However, such methods are difficult to scale for deployment in complex enterprise settings and do not yield very high feature-level interpretability for analysts. Meanwhile, User and Entity Behavior Analytics (UEBA) systems have brought the value of unifying different data streams for insider threat monitoring to new levels. It has been reported that fusion of communication, access, and system interaction data enhances detection performance [
18,
19,
20]. However, several UEBA methods are still proprietary, opaque, and do not comprehensively implement complex machine learning or explainable AI models. The increasing importance of explainability in cybersecurity has meant that we have been using post hoc interpretability techniques like LIME (Local Interpretable Model-agnostic Explanations) and SHAP [
4,
5,
11] for these solutions in our cybersecurity defense. These techniques enable us to document the rationale behind a model’s decisions by providing quantitative information regarding feature contributions to its outputs. This enhances analysts’ confidence in the system and supports adherence to regulatory requirements. In numerous current frameworks, explainability is treated as an independent reporting component rather than being integrated as a core element of the detection and decision-making process. Concurrently, privacy-preserving methods have been studied with federated training and differential privacy to satisfy data protection regulations [
13,
21,
22,
23]. These techniques do contribute to privacy but lack explainability mechanisms as well as operational response mechanisms in a unified context. While research on insider-threat detection has made significant progress, several critical areas continue to require improvement. First, existing methods are based on single-modality data and do not leverage the complementary information offered by multimodal telemetry. Second, hybrid and deep learning techniques, in general, are less interpretable and less transparent for analysts. Additionally, there is currently no approach that thoroughly evaluates feature redundancy, assesses robustness, or compares the impact of static models to sequential ones. Most frameworks are primarily focused on detection and do not add any automatic response processes to combat detected risks dynamically. To address these drawbacks, the AIB-ITD framework proposed herein combines multimodal data fusion, hybrid anomaly-based and sequential modeling, explainable AI via SHAP, and ARPC within a single pipeline. AIB-ITD bridges the gap between theoretical research and practical implementation, providing a scalable and operationally beneficial solution to insider threat defense.
Recent advances in insider-threat detection have incorporated explainable AI, behavioral analytics and deep learning to improve detection accuracy and analyst trust. The use of SHAP-based interpretation, temporal sequence modeling, and UEBA-driven behavioral profiling in identifying malicious insider activities has been extensively explored in the last couple of years. The importance of integrating automated response and containment capabilities with detection systems to reduce incident response times and improve operational effectiveness has also been highlighted in recent research. However, most existing approaches are very much focused on detection and lack unified explainability and automated mitigation. This is the reason for the proposed AIB-ITD framework [
24,
25,
26,
27,
28,
29].
3. Proposed AIB-IT Framework
This paper presents the AIB-ITD framework as an integrated, scalable, and explainable approach for enterprise-level insider-threat detection and mitigation. The AIB-ITD framework aims to turn heterogeneous enterprise telemetry into risk intelligence that can both accurately detect and automatically act upon risks. The AIB-ITD framework, as shown in
Figure 1, comprises five interconnected functional layers: data acquisition, feature engineering, hybrid modeling, explainable decision support, and automated response with privilege containment. The AIB-ITD framework works with multimodal enterprise data, including email, web, and HTTP actions, logons and VPNs, and file access events. These multiple sources provide a unified perspective on user interaction patterns with respect to communications processing, authentication, and system usage. When combining these modalities, AIB-ITD effectively enables the interpretation of end users’ behavior across the entirety of the systems, allowing more subtle and context-dependent anomalies to be detected that cannot be easily detected in one data flow. The data acquisition layer collects raw telemetry from enterprise systems such as SIEM, SOAR, and IAM platforms. The subsequent layer observes user activities in detail, including the frequency of messages and attachments within email systems, browsing patterns and data transfer actions on web platforms, session attributes for logon and VPN usage, as well as read and write operations recorded in file-access logs.
The feature engineering layer converts raw events into structured behavioral features for machine learning models. Events are standardized and aggregated to the user-day level to obtain consistency amongst modalities and to facilitate temporal models. These include frequency indicators, ratio (e.g., off-time use behavior), and temporal summaries that capture short- and long-term patterns. This method of aggregation increases reproducibility and avoids the incongruity of inconsistent features due to mixed temporal granularity. This hybrid modeling layer is the analytical core of AIB-ITD. To detect known and previously unseen insider behaviors, the framework takes an anomaly-driven approach to their detection instead of only relying on labeled data. To capture structural deviations from normal behavior, multiple unsupervised models are used, including Isolation Forest, Principal Component Analysis (PCA) reconstruction error, Autoencoder, and others. Simultaneously, a Long Short-Term Memory Autoencoder (LSTM-AE) is applied to model temporal dependencies and sequential behavioral drift across days. This pair of models allows the framework to identify both sudden deviations from the norm and the subtle evolution of behavior over time. The results of separate models are merged using an ensemble fusion process that provides one insider risk score for each user. The ensemble approach improves robustness by integrating complementary perspectives from different models, thus reducing noise sensitivity and improving detection stability.
The output risk score serves as a continuous measure of the intensity of anomalies, allowing for their prioritization and subsequent decision-making. This approach involves an explainable decision support layer, based on SHAP, to promote transparency and develop analyst trust. This piece splits the predicted risk score into feature-level contributions, which enables analysts to understand why a detection is made. The explainability layer supports local (instance-level) and global (dataset-level) understanding for meaningful investigation and governance.
Expanding upon the detection and explanation phases, AIB-ITD combines this with the ARPC module, which can turn risk scores into actionable mitigation plans. Once a set threshold is met, user behavior is sorted into different risk levels, each level tied to a specific response like increased monitoring, stronger authentication, limiting privileges, or suspending access. The ARPC module maintains Least Privilege Containment (LPC) policy, restricting high-risk users to the minimum access they need for a limited time. ARPC operates in real time and integrates with enterprise security systems like SIEM, SOAR, and IAM. Response actions are auditable, reversible, and preserve confidentiality; alerts are generated by high-level behavioral indicators and are not based on sensitive content. The AIB-ITD framework combines multimodal data fusion, hybrid anomaly-based modeling, explainable AI, and automated response in a single workflow. This combination of approaches allows the framework to overcome other important disadvantages associated with the existing methods, such as a lack of interpretability, poor robustness, a lack of response mechanisms, and the practicality of action mechanisms, to make it a suitable, scalable method for insider-threat detection in present-day enterprise environments.
4. Research Methodology
As depicted in
Figure 2, the proposed AIB-ITD framework is designed as a layered architecture consisting of five sequential components. The organized method provides a complete, end-to-end pipeline for the detection, interpretation, and mitigation of insider threats in enterprise applications.
Data Acquisition Layer collects an array of multimodal insider activity logs from internal systems. Examples include email logs that capture sending, receiving, and attaching files; web/HTTP logs tracking browsing activity, uploads, and downloads; VPN and logon logs detailing login actions, session lengths, and locations; and file access logs recording the creation, modification, and deletion of files. These diversified data sources give us an integrated system of the user response on communication, network, authentication, and data interaction. Standard times are taken into consideration for timestamps, all modalities’ user identifiers are normalized, and records are recorded at the user-day level to ensure a common time during pre-processing. The second stage of the pipeline, the Feature Engineering Layer, converts raw action logs to functional behavioral features as shown in
Figure 2. These features reflect user behavior, including activity frequency (the number of activities), temporal patterns (off-hours activity), usage deviation (percentage change over baseline behavior), and access behavior (patterns in email, web, VPN, and file interactions). To gain a deeper insight into the statistical characteristics of the engineered features, the empirical distributions of key behavioral variables are interpreted, as shown in
Figure 3. Most user activities are clustered at low levels, while a small number exhibit much higher activity, resulting in skewed, heavy-tailed distributions across various modalities. This is in line with real-world enterprise environments, in which normal user activities are predominant and are characterized by anomalous behavior as rare deviations. Such observations also support the use of anomaly-driven detection approaches that are well-suited for detecting outliers in imbalanced and non-Gaussian data distributions.
The distribution of key behavioral features across modalities (
Figure 3) is shown. With most user activities in the normal range and a tiny subset extremely active, the distributions are highly skewed and heavy-tailed. This trend aligns with real-world enterprise environments where insider threats are low in incidence and have high behavioral impact. These distributions justify the use of anomaly detection techniques, which are ideally suited for uncovering outliers in imbalanced datasets.
Furthermore, anomaly indicators are highlighted to reflect rare and out-of-the-ordinary activities that might indicate that an insider threat is occurring. We took these steps: normalize continuous features, encode categorical features, and perform median imputation for missing values. A correlation analysis was performed to enhance the quality of features even more.
Figure 4 displays the findings related to the relationships observed between the various components.
The correlation heatmap of the engineered behavioral features is shown in
Figure 4. Findable moderate correlations among specific features, suggesting redundant information. This supports the development of good modeling systems to support correlated inputs and avoid overfitting. Moreover, the lack of excessive multicollinearity is a signal that the proposed feature set is acceptable for anomaly detection purposes. In
Figure 4 o, c, e, a, and n are the Big Five personality traits: openness, conscientiousness, extraversion, agreeableness, and neuroticism. These psychometric features are included to capture behavioral and personality characteristics that may influence insider behavior. The correlation heatmap shows the relationship between personality traits and other user activity features, which may be useful for insider threat detection.
During the third stage, the Hybrid Modeling Layer employs a flexible ensemble learning strategy that will be applied to recognize abnormal user behavior, as presented in
Figure 2. Although this layer accommodates both supervised and unsupervised methods depending on data availability, we adopt an anomaly-driven approach in this paper because there is no labeled insider-threat data. Unsupervised approaches such as the Isolation Forest, Autoencoder, and PCA reconstruction were used to represent structural abnormalities from regular behavior. Further, (LSTM-AE) (based on the temporal dependence model) is introduced to model temporal dependencies and to capture gradual changes in behavioral information over time. Sequential input data is constructed using sliding windows, allowing for the identification of changes in patterns of insider activity. In
Figure 5, the static and sequential modeling methods comparing themselves are compared.
Static and sequentially modeled methods are compared in
Figure 5 for performance. The findings indicate that the LSTM Autoencoder, a temporal dependency method, can improve the separation of normal and abnormal behavior. Temporal learning models are increasingly relevant in insider-threat detection, as many malicious behaviors evolve rather than occurring in a few instances.
A weighted ensemble approach combines the outputs of the separate models, producing a single insider risk score for each user. This ensemble method has the advantage of being highly robust, with less model-specific bias and a stable capture of the intensity of anomalies. Due to the asymmetric nature of insider-threat data, users considered high-risk are identified by focusing on those with anomaly scores in the upper percentile, rather than relying on clearly labeled classes. Stage four,
Explainability Layer, uses SHAP to interpret model outputs, as
Figure 2 shows. Furthermore, SHAP provides both global feature importance and local explanations, enabling analysts to comprehend why specific users are marked as abnormal.
Figure 6 illustrates the importance of features related to insider risk, highlighting various behavioral indicators.
Figure 6 shows the global focus based on SHAP analysis. We find that features associated with file access behavior, VPN session anomalies, and unusual web activity account for the major risk scores of insiders. These results are consistent with the general trend that insider threats tend to have abnormal access to sensitive environments and to use systems without authority, which are the primary indicators of an adversary.
To ensure robust and consistent explanation results in a SHAP stability analysis, different runs and setups are implemented.
Figure 7 presents the analysis results and demonstrates the robustness of the feature-importance rankings across different runs and models. The stability of the SHAP-based feature importance indicates that the model is not overly sensitive to minor variations in the data or initialization, which increases confidence in the framework’s decision-making mechanism. The black horizontal error bars represent one standard deviation (±std) of the mean absolute SHAP values, showing how each feature’s contribution varies across the considered samples. Longer error bars indicate greater variability in a feature’s effect on individual predictions, whereas shorter error bars reflect more consistent contributions across the data. Extraversion (E) has the highest average feature importance but also a larger error bar, suggesting that its influence varies across users and behaviors, while features with smaller error bars contribute more consistently to the model’s predictions.
The Automated Response and Privilege Containment Layer, the last component, distills insider risk scores into mitigation strategies that can be actioned (see
Figure 2). Users are classified by threshold in levels of risk: minimal risk (monitor only), medium risk (increased monitoring), elevated risk (privilege restriction), and critical risk (account isolation or lockdown access). By utilizing the principle of least privilege, this method manages risk by containing threats as they occur. And the framework connects to enterprise systems like Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and Identity and Access Management (IAM) platforms for scalable and auditable privacy-preserving deployment. In short, the AIB-ITD framework, summarized in
Figure 1, embodies a coherent, modular, scalable, and interpretable method for insider-threat detection by fusing multimodal data, advanced feature engineering, hybrid anomaly detection, explainable artificial intelligence, and automated response in a common operational architecture.
Table 1 is the formal description regarding the mapping between computed risk scores and corresponding response actions. With the normalized risk score (R), the framework segments users into four tiers of risk with progressive and context-aware mitigation strategies. Passive monitoring and logging are used on lower-risk levels to maintain baseline behavior tracking. As the risk level increases, the system imposes stronger controls, such as multi-factor authentication, data transfer restrictions, and privilege adjustments. For high-risk scenarios, immediate containment measures like access suspension, network segmentation, and forensic data capture are initiated. Every tier carries its own review process, ranging from periodic audits to real-time analyst validation and emergency escalation. The structured mapping allows proportional, auditable, and aligned response actions with enterprise security policies.
4.1. AIB-ITD Operational Workflow
The AIB-ITD-based Insider-Threat Detection (AIBA) model is constructed sequentially in a structured, end-to-end manner that transforms enterprise telemetry into explainable risk intelligence and automated containment. The operational workflow describes the complete pipeline through which behavioral data are collected, processed, analyzed, explained, and acted upon.
In the first stage, AIB-ITD performs enterprise telemetry acquisition by collecting multi-source behavioral data from systems integrated with the SIEM, SOAR, and IAM platforms. The four core modalities were monitored continuously. These include e-mail and communication activities, such as message volumes, recipient diversity, attachment sizes, off-hour communication, and device identifiers; network and web/HTTP activities, including data transfer volume, access to sensitive domains, use of anonymity tools such as Tor or unauthorized VPNs, and abnormal script execution; VPN and logon behavior, encompassing session duration, geolocation deviation, authentication anomalies, and endpoint identifiers; and file and directory access, including read and write operations, access to restricted directories, and modification of sensitive assets. For the experimental evaluation, the SEI/CMU CERT Insider Threat Dataset (r 4.2) was used, which contained over 100,000 user-day events representing benign, negligent, and malicious behaviors.
In the second stage, feature engineering and behavioral representation are performed to transform the raw logs into machine-interpretable features. This process includes the normalization of continuous variables such as traffic volume and session duration, one-hot encoding of categorical fields, and temporal aggregation into daily or session-level windows. Behavioral indicators were constructed to capture contextual and frequency-based characteristics of user activity, including the ratio of after-hours to regular-hours e-mail activity, counts of privileged file modifications, deviations in VPN session duration, and rolling means of outbound traffic volume using seven-day windows. Missing data were addressed using median imputation, and robust scaling was implemented to enhance comparability across different modalities. This step produces compact behavioral vectors that effectively represent user actions.
The third stage takes the hybrid anomaly modeling and risk scoring approach. Since insider-threat data typically contains few incomplete labels, the proposed framework adopts an anomaly-driven detection approach. Structural anomalies are detected by using Isolation Forest, PCA reconstruction error, and Autoencoder models, and temporal behavioral deviations are detected by LSTM Autoencoder. The results of these two detectors are combined through weighted ensemble fusion to form one insider risk score. This approach facilitates detection of both known and previously unknown insider behavior without relying on fully labeled training data.
A sequential deep model, specifically an LSTM Autoencoder, captures temporal dependencies, gradual behavioral drift, and multiday patterns. The outputs from these models were combined through weighted ensemble fusion to generate a unified risk score.
The ensemble weights were found by grid search optimization using five-fold cross-validation on the training dataset. We evaluated the candidate weight combinations that satisfy the normalization constraint based on anomaly separation performance and ranking stability. The final optimized weights were more important for the LSTM Autoencoder and Autoencoder models due to their ability to detect temporal and non-linear behavior deviations. We found that an optimal weight change of ±10% had no larger difference in the overall AUC and that the ensemble performed well across different parameter settings.
In stage four, SHAP is used to provide explainability. For each detection outcome, SHAP values were computed to quantify the contribution of individual features to the overall risk score, such as high off-hour e-mail activity contributing +0.23, large data-transfer volume contributing +0.19, or consistent login timing contributing −0.12. These values are visualized using bar charts and heatmaps and aggregated into dashboards that present risk patterns by department, role, or system. This explainability layer supports interpretability, analysts’ trust, and the governance requirements.
The fifth stage implements Automated Response and Privilege Containment using the ARPC module. When the computed risk score exceeds the configured thresholds, a tiered response playbook is activated, enabling actions such as step-up multifactor authentication, throttled data transfer, session quarantine, temporary privilege downgrade, and full access suspension in high-risk cases. Integrations with the SOAR and IAM systems allow these policies to be enforced automatically. All actions are time-bounded, logged, reversible, and privacy-preserving, with alerts generated using only metadata.
In the sixth stage, analyst oversight and continuous governance are maintained throughout the detection-to-response lifecycle. Each event is supported by SHAP-based justification, reviewed by SOC analysts in high-risk cases, followed by an automatic rollback of privileges upon clearance. Comprehensive audit trails are maintained to support governance, compliance, and transparency.
The AIB-ITD operational workflow is an enterprise-scale, trustworthy deployment framework that unifies multimodal data fusion, hybrid ensemble learning, explainable AI reasoning, and automated privilege containment.
4.2. Mathematical Formulation of the AIB-ITD Model
To formally describe the operational behavior of the proposed Artificial Intelligence-Based Insider-Threat Detection (AIB-ITD) framework, this section presents the mathematical representation of multimodal user behavior modeling, hybrid ensemble risk estimation, sequential anomaly detection, explainable attribution, and automated privilege containment policy.
For each user
at time instance (day)
, the heterogeneous telemetry collected from enterprise systems is transformed into a unified behavioral feature vector:
where each modality is itself a feature sub-vector:
This formulation enables multimodal telemetry fusion in a single behavioral space that captures communication, network usage, authentication patterns, and file–system interaction.
- 2.
Sequential Behavioral Modeling Using LSTM Autoencoder
To capture temporal dependencies and gradual behavioral drift, a sliding window of user behavior is constructed:
where
represents the temporal window size (7 days in this study).
The LSTM Autoencoder learns a reconstruction:
and the sequential anomaly score is computed as the reconstruction error:
Higher reconstruction error indicates deviation from learned normal behavioral sequences.
- 3.
Hybrid Ensemble Risk Estimation
Each learning component in AIB-ITD produces a probability estimate of insider risk:
for model
k ∈ {
IF,
PCA,
AE,
LSTM-AE}.
The final insider risk score is computed using calibrated weighted ensemble fusion
subject to:
where
are optimized through cross-validation. This formulation allows the integration of multiple unsupervised and sequential anomaly signals into a unified probabilistic insider risk measure.
- 4.
Explainable Risk Attribution Using SHAP
To ensure interpretability, the final risk score is decomposed into feature-level contributions using SHAP:
where:
This decomposition provides analyst-interpretable evidence for each alert and supports governance and transparency requirements.
- 5.
Automated Response and Privilege Containment (ARPC) Policy
The ARPC mechanism maps the computed risk score into tiered containment actions using predefined thresholds
:
where:
—predefined risk thresholds;
—response levels (observe → caution → containment → suspension).
This formalizes the decision logic for dynamic privilege containment, enabling automated yet reversible mitigation actions integrated with IAM, SIEM, and SOAR systems.
- 6.
Modality Contribution and Ablation Sensitivity
To quantify the contribution of each telemetry modality, modality-level ablation is defined as:
where:
;
: performance using all modalities;
: performance after removing modality .
This mathematical formulation transforms AIB-ITD from an architectural framework into a formally defined insider-threat detection model, strengthening its methodological rigor and suitability for IEEE-grade scientific publication.
5. Results and Discussion
This section presents the experimental evaluation of the (AIB-ITD) framework using the SEI/CMU CERT r4.2 dataset. Various configurations are used to evaluate data properties, model actions, interpretability, risk adjustment, automatic response effectiveness, and durability.
Data characteristics, model behavior, explainability, risk calibration, automated response performance, and robustness are evaluated under various configurations.
5.1. Dataset Characteristics and Preprocessing
The CERT r4.2 dataset is a widely used benchmark for insider-threat detection, simulating the behavior of approximately 2000 organizational users over an extended period [
28,
29]. It includes multimodal data such as email metadata, web/HTTP activity, logon/VPN records, and file-access events. All logs were preprocessed and aggregated into user-day representations to ensure consistency across modalities. Continuous features were normalized using min–max scaling, and missing values were handled through median or mode imputation. Sequential inputs were then constructed using a 7-day sliding window and fed into the LSTM Autoencoder for temporal modeling. For development and evaluation, the dataset was split chronologically into training and testing sets using an 80:20 ratio to preserve temporal dependencies and prevent information leakage. All preprocessing, model training, and parameter optimization were performed exclusively on the training set, while the test set was reserved for final evaluation. In addition, five-fold cross-validation was used during development to optimize ensemble weights and assess model stability. The final dataset contained approximately 100,000 user-day records. As shown in
Figure 3, the behavioral feature distributions differ across modalities and exhibit heavy-tailed patterns characteristic of enterprise activity logs. Most user-day activity falls within a normal range, while a small proportion shows extreme values, supporting the suitability of the dataset for anomaly-based insider-threat detection. However, the CERT r4.2 dataset also reflects common challenges in real-world insider-threat data, including scarce, ambiguous, and delayed ground-truth labels. As a result, conventional supervised evaluation metrics alone are insufficient. Therefore, this study adopts anomaly-driven evaluation measures, including anomaly score distributions, ranking consistency, and pseudo-labeling based on the upper percentile of anomaly scores. This strategy better reflects practical enterprise settings, where insider threats are rare and often unlabeled, and therefore emphasizes robustness, stability, and relative ranking over strict classification accuracy [
30].
The pseudo-label evaluation reflects the nature of real-world insider-threat datasets, in which malicious activities are rare and often confirmed only after extensive forensic investigation. As a result, most benchmark datasets contain incomplete, delayed, or uncertain labels. In prior anomaly-detection studies, users ranked in the top percentile of anomaly scores have often been treated as potential high-risk cases for evaluation. The purpose of this approach is not to measure absolute classification performance but to assess ranking consistency, anomaly separation, and model stability in realistic settings where ground-truth labels are unavailable. To examine the sensitivity of the pseudo-labeling strategy, multiple percentile thresholds were tested during preliminary experiments. The proposed framework showed consistent ranking behavior across these thresholds, with only minor variations in performance metrics. These findings indicate that the framework’s effectiveness does not depend on a single percentile cutoff and that its anomaly-ranking results remain stable across reasonable threshold choices.
The proposed AIB-ITD framework features several anomaly detection techniques, including Isolation Forest, Autoencoder, PCA reconstruction, and LSTM Autoencoder. Instead of relying exclusively on traditional classification metrics, the evaluation works with anomaly score distributions, ranking consistency, and model agreement. Sequential modeling (LSTM-AE) adds further sensitivity to temporal behavioral drift. Sequential compared with static models, produce, as illustrated in
Figure 5, clearer separations of normal and anomalous behavioral patterns. The use of two or more models leads to a stable and consistent risk scoring system through an ensemble mixture of models. The hybrid approach decreases variance in anomaly score and enhances detection robustness by analyzing different user profiles compared to the individual models.
Table 2 gives a comparative analysis of the individual anomaly detection models and the proposed ensemble framework. The results reveal that the ensemble model achieves the highest overall performance in terms of anomaly score consistency and pseudo-evaluation metrics, given the complementary strengths of the individual models. The LSTM Autoencoder outperforms standalone methods by effectively capturing temporal patterns and behavioral changes. In contrast, PCA-based approaches demonstrate relatively less robust performance due to their inability to handle complex, non-linear patterns. In addition, the ensemble approach shows the lowest variance of anomaly scores, leading to better stability and robustness across different user behaviors. Static and sequential models can likely be combined into one stable framework for detecting insider threats.
Even though anomaly ranking works well in real enterprise environments, we have also tested it with the official CERT insider-threat scenarios. We have extracted the user days of known malicious activities from the CERT r4.2 dataset and compared them to the normal behavior of users. Our ensemble model has an AUC of 0.976 with precision of 0.89, recall of 0.86, and F1-score of 0.87, and it is shown that an anomaly-based approach with the different scenario labels is still good enough to achieve good performance in the unlabeled scenarios, but the ranking is not consistent.
Table 3 compares our proposed AIB-ITD framework with the other insider-threat detection approaches that have been proposed in the literature. Unlike traditional rule-based systems and anomaly detectors, AIB-ITD combines multimodal telemetry fusion, temporal behavioral modeling, explainable artificial intelligence, and automated response in a single operational framework. While some work focuses on discrete aspects of insider-threat detection, few work on detection, explanation, and containment in a single operational system. This comparison shows that the primary contribution of AIB-ITD is the integration of these complementary capabilities in enterprise-scale deployment. Traditional UEBA systems generally rely on static behavioral baselines and rule-driven anomaly scoring. In contrast, the proposed AIB-ITD framework achieved an AUC of 0.976 on CERT insider-threat scenarios while simultaneously incorporating temporal behavioral modeling, explainable AI, and automated response capabilities. These characteristics provide operational advantages beyond conventional UEBA deployments, particularly for detecting evolving insider behaviors and reducing response latency.
The ensemble model increases F1-score by approximately 8–13% compared to individual models and reduces anomaly score variance by up to 40%, demonstrating enhanced stability and consistency. These results confirm the effectiveness of combining static and sequential models within a unified framework.
In contrast to current insider-threat detection approaches, which are based on single-model architecture or static analysis methods [
6,
15], our AIB-ITD-based framework shows enhanced robustness with respect to hybrid ensemble modeling and temporal analysis. Where the previous literature largely describes classification accuracy, AIB-ITD instead focuses primarily on anomaly ranking consistency and stability—principles more in agreement with real-world deployment conditions. Furthermore, integrating explainable AI with automated response mechanisms enables the framework to be distinguished from conventional UEBA and anomaly detection systems. In contrast to such methods that normally require standalone models and static behavioral analysis, AIB-ITD integrates multimodal telemetry and structural and temporal anomaly detection. Moreover, many existing approaches are either focused on classification with labeled datasets or perform poorly in comparison, and an anomaly-ranking scheme was used to capture the characteristics of actual enterprise scenarios with few labeled insider incidents (AIB-ITD). The inclusion of explainable AI with automated response helps distinguish the proposed framework and reduce the gap between detection and operational mitigation.
5.2. Distribution and Calibration of Risk Scores
Equation (8) presents the final insider risk score, which is a normalized indicator of how much behavior deviates from the norm.
Figure 8 illustrates the risk scores, presenting a distinct division between users in the low-risk and high-risk classifications.
The calculated insider risk scores are reported in
Figure 8. Most users comprise the low-risk portion, while some comprise the high-risk tail. This distribution corresponds to real enterprise cases in which insider threats are rare and critical. The separation of low- and high-risk users is also clear, which justifies percentile-based risk segmentation as opposed to fixed classification thresholds.
Most user-day occurrences are localized in the low-risk area, while a portion make up the high-risk tail, with a smaller number in the high-risk site. This distribution represents real-world insider-threat scenarios where the occurrence of malicious behaviors is uncommon but substantial. Instead of the use of hard classification thresholds, the framework uses percentile-based segmentation of users to identify high-risk users. This reduces dependence on potentially unreliable labels and increases operational usability.
5.3. Explainability Analysis Using SHAP
Explainability is one of the core components of the AIB-ITD approach. SHAP values implemented to estimate the amount of the specific features that contribute to the calculated risk score. As seen in
Figure 6, the strongest features are file modification behavior, unusual VPN session, unusual web behavior, and email attachment behavior. These are consistent with an insider-threat sign. Explanation at the feature level allows analysts to interpret detection findings and to comprehend the behavioral determinants of risk scores, trust building, and decision support.
5.4. SHAP Stability and Robustness Analysis
SHAP’s stability was evaluated in a variety of runs and model configurations to ensure reliable explainability.
Figure 7 shows that the ranking of attribute importance stays consistent, and slight changes in the data do not affect the way the model is understood. Such consistency increases the trustworthiness of the framework, making it possible to apply it to operating scenarios.
5.5. Automated Response and Operational Impact
The ARPC module translates insider risk scores into actionable mitigation strategies in real time. Unlike traditional detection systems that halt before the generation of alerts, ARPC incorporates the results of detection directly into enforcement mechanisms for a closed-loop security response. Two operational metrics were taken into consideration to assess ARPC’s effectiveness:
According to experimental analyses, the implementation of ARPC reduces response latency compared to manual workflows. As illustrated in
Figure 9, automated response implementation ensures rapid containment of high-risk users and reduces the possibility of windows of damage. In addition to this, ARPC adopts a risk-tiered approach (
Table 1), taking proportionate and policy-compliant measures. Low-risk users are monitored, while high-risk users receive immediate action such as access suspension or network segmentation. The main benefit of ARPC is that it can dynamically enforce the least privilege principle—allowing access rights to be on a dynamic basis, so the privilege allocated is always keeping pace with the behavioral risk levels. All actions are auditable, reversible, and privacy-preserving, which allows for operational security and compliance.
The operational impact of the Automated Response and Privilege Containment (ARPC) module is discussed in
Figure 9. The findings show improved response speed and faster containment in manual workflows. This indicates the efficiency of combined automation in response and detection procedures to act quickly against potential insider threats.
To better understand the effectiveness of the ARPC module, we conduct simulations using historical insider threats data from CERT. AIB-ITD detection alerts are processed in the ARPC response engine and compared against a traditional analyst-driven workflow. The automated framework reduced the Mean Time to Detect (MTTD) from 22.4 min to 16.3 min, a 27.2% decrease. Likewise, the Mean Time to Respond (MTTR) was reduced from 72.0 min to 46.8 min, a 35.0% reduction. In addition, 94% of the high-risk incidents were successfully contained in the first response cycle. These results show that ARPC has tangible operational benefits in terms of reducing response time, minimizing exposure windows, and accelerating insider threat containment.
5.6. Robustness Analysis
The robustness of our proposed AIB-ITD framework is evaluated from several perspectives, including model stability, explainability consistency, modality sensitivity, temporal modeling effectiveness, and operational response reliability. As shown in
Table 4, our ensemble framework had the lowest anomaly-score variance of all the models and demonstrated better stability across different user behaviors. SHAP stability analysis (
Figure 7) also showed consistent ranking of the feature importance in different runs and model configurations.
Table 4.
Robustness evaluation summary of the proposed AIB-ITD framework.
Table 4.
Robustness evaluation summary of the proposed AIB-ITD framework.
| Robustness Aspect | Evaluation Method | Observation |
|---|
| Model Stability | Anomaly-score variance (Table 2) | Lowest variance achieved by ensemble model (0.07) |
| Explainability Stability | SHAP Stability Analysis (Figure 7) | Consistent feature rankings across runs |
| Modality Sensitivity | Ablation Study (Figure 10) | Gradual performance degradation after modality removal |
| Temporal Robustness | Static vs Sequential Analysis (Figure 5) | Improved detection of evolving behaviors |
| Operational Robustness | ARPC Evaluation (Figure 9) | Faster response and containment compared with manual workflows |
Figure 10.
Implementing these automated response mechanisms.
Figure 10.
Implementing these automated response mechanisms.
Table 4 summarizes the robustness of the proposed AIB-ITD framework. The results show stability in anomaly scoring, consistency in explainability outputs, resilience to the removal of individual telemetry modalities, and improved temporal detection capabilities. These results indicate that the framework is reliable in all aspects of evaluation and is acceptable for the real world of enterprise applications.
5.7. Computational Cost and Deployment Considerations
On the deployment side, the most computationally demanding component is the LSTM Autoencoder, which needs to be run sequentially. However, model training takes place offline, and inference is sufficient for close-to-real-time deployment. SHAPs are only generated for users who are at high risk, which reduces the computational cost during normal operations. The ARPC module has negligible latency and can be implemented directly in SIEM, SOAR, and IAM. Overall, as shown in
Table 5, the framework can be easily scaled for medium and large-scale enterprise applications while still being explainable and maintaining automated response capabilities. We also showed in our modality-level ablation study that the detection performance does not decay much once individual telemetry sources were removed, demonstrating that the proposed AIB-ITD framework does not heavily depend on any single modality. These results illustrate that our AIB-ITD framework is stable and reliable across multiple evaluation domains.
5.8. Modality Contribution and Ablation Analysis
To assess each telemetry modality, an ablation method was applied, with one modality eliminated at a time during evaluation. The quantitative results of the modality-level ablation analysis are summarized in
Table 6, while the corresponding performance trends are illustrated in
Figure 10. Finally, the file-access and VPN-related features exhibit maximum effect on anomaly diagnosis, while web activity and email communication are the most relevant features behind. The impact of removing individual telemetry modalities (email, web, VPN/logon, and file access) on anomaly detection performance is presented in
Figure 10. Results highlight the relative importance of each modality and the robustness of multimodal fusion.
To assess the contribution of each telemetry modality, we conducted a modality-level ablation study by removing one data source at a time while keeping all other framework components unchanged. As summarized in
Table 6, the full multimodal framework achieved the best performance (AUC = 0.976), and performance declined in every ablation setting, confirming that each modality contributes meaningful behavioral information for insider-threat detection. The largest drop occurred when file-access features were removed (ΔAUC = −0.073), followed by VPN/logon features (ΔAUC = −0.059), indicating that access behavior and authentication activity are the strongest indicators of insider threat in this framework. Email and web telemetry also improved detection performance, although their contributions were smaller.
Figure 10 further illustrates the performance reduction observed after removing each telemetry source, reinforcing that the complete multimodal configuration provides the highest detection performance and that multimodal fusion is more effective than relying on any single data source.
Performance degradation remains gradual when individual telemetry modalities are removed, demonstrating the robustness of the multimodal fusion strategy.
Figure 10 presents the modality-level ablation results, assessing each telemetry source’s impact. The findings indicate that file access and VPN/logon activities played a more significant role in anomaly detection effectiveness, whereas email and web activity provided supplementary contextual details. The performance degradation detected after eliminating individual modalities confirms the impact of multimodal data fusion for successful insider-threat detection.
5.9. Discussion and Implications
The research results show that the AIB-ITD framework combines static and temporal anomaly detection with explainable AI and automated response. The hybrid models model instantaneous anomalies and gradual behavioral drift so that SHAPs provide interpretability and transparency. Unlike those conventional methods, which rely on classification, the framework is based on anomaly ranking and consistency and hence may be more applicable in the practice of enterprise-level insider-threat detection, in which labeled data is scarce. The inclusion of an automated response improves operations by speeding up replies and reducing possible risks.
Table 7 presents a structured overview of the principal findings derived from the proposed AIB-ITD framework, clearly correlating analytical results with their respective insights and practical implications. The table outlines the contributions of each component—from data characteristics and feature engineering to hybrid modeling, explainability, and automated response—in improving detection robustness, interpretability, and operational effectiveness. This consolidated view reinforces the value of integrating multimodal data, anomaly-driven modeling, and explainable AI within a unified framework for real-world insider-threat detection.
5.10. Ethical Considerations and Privacy Matters
The AIB-ITD framework is distinguished by its emphasis on privacy and ethical considerations. All tests use de-identified and open data. The system does not consider sensitive content and processes only behavioral metadata. Privacy-preserving means include anonymization of user identifiers, audit logging of all entries made (actions), and the explanation of the actions performed using SHAP. The ARPC module makes temporary and reversible containment actions mandatory, ensuring the preservation of user rights. The model correlates with mature data protection and security best practices to support ethical use and legal compliance.