Skip to main content

Graph Intelligence Enhanced Bi-Channel Insider Threat Detection

  • Conference paper
  • First Online:
Network and System Security (NSS 2022)


For an organization, insider intrusion generally poses far more detrimental threats than outsider intrusion. Traditionally, insider threat is detected by analyzing logged user behaviours and then establishing a binary classifier to distinguish malicious ones. However, most approaches consider user behaviour in an isolated manner, inevitably missing the background information from organizational connections such as a shared supervisor or e-mail interactions. Consequently, the performance of those existing works still has the potential to be enhanced. In this paper, we propose a bi-channel insider threat detection (B-CITD) framework enhanced by graph intelligence to improve the overall performance of existing methods. Firstly, We extract behavioural features from a series of log files as the inner-user channel features. Secondly, we construct an organizational connection graph and extract topological features through a graph neural networks (GNN) model as the inter-user channel features. In the end, the features from inner-user and inter-user channels are combined together to perform an insider threat detection task through a binary classification model. Experimental results on an open-sourced CERT 4.2 dataset show that B-CITD can enhance the performance of insider threat detection by a large margin, compared with using features only from inner-user or inter-user channels. We published our code on GitHub:

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

  2. 2.

  3. 3.


  1. Accenture: State of cybersecurity resilience 2021. Accenture Official Website, 03 November 2021.

  2. Coffman, T., Greenblatt, S., Marcus, S.: Graph-based technologies for intelligence analysis. Commun. ACM 47(3), 45–47 (2004)

    Article  Google Scholar 

  3. Gamachchi, A., Boztas, S.: Insider threat detection through attributed graph clustering. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 112–119. IEEE (2017)

    Google Scholar 

  4. Garg, A., Rahalkar, R., Upadhyaya, S., Kwiat, K.: Profiling users in GUI based systems for masquerade detection. In: Proceedings of the 2006 IEEE Workshop on Information Assurance, vol. 2006, pp. 48–54 (2006)

    Google Scholar 

  5. Gavai, G., Sricharan, K., Gunning, D., Rolleston, R., Hanley, J., Singhal, M.: Detecting insider threat from enterprise social and online activity data. In: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, pp. 13–20 (2015)

    Google Scholar 

  6. Glasser, J., Lindauer, B.: Bridging the gap: A pragmatic approach to generating insider threat data. In: 2013 IEEE Security and Privacy Workshops. pp. 98–104. IEEE (2013)

    Google Scholar 

  7. Hamilton, W.L., Ying, R., Leskovec, J.: Inductive representation learning on large graphs. In: Proceedings of the 31st International Conference on Neural Information Processing Systems, pp. 1025–1035 (2017)

    Google Scholar 

  8. Homoliak, I., Toffalini, F., Guarnizo, J., Elovici, Y., Ochoa, M.: Insight into insiders and it: a survey of insider threat taxonomies, analysis, modeling, and countermeasures. ACM Comput. Surv. (CSUR) 52(2), 1–40 (2019)

    Article  Google Scholar 

  9. Jiang, J., et al.: Anomaly detection with graph convolutional networks for insider threat and fraud detection. In: MILCOM 2019–2019 IEEE Military Communications Conference (MILCOM), pp. 109–114. IEEE (2019)

    Google Scholar 

  10. Kabir, M.E., Mahmood, A.N., Wang, H., Mustafa, A.K.: Microaggregation sorting framework for k-anonymity statistical disclosure control in cloud computing. IEEE Trans. Cloud Comput. 8(2), 408–417 (2015)

    Article  Google Scholar 

  11. Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)

  12. Li, M., Sun, X., Wang, H., Zhang, Y.: Multi-level delegations with trust management in access control systems. J. Intell. Inf. Syst. 39(3), 611–626 (2012)

    Article  Google Scholar 

  13. Liu, F., Wen, Y., Zhang, D., Jiang, X., Xing, X., Meng, D.: Log2vec: a heterogeneous graph embedding based approach for detecting cyber threats within enterprise. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1777–1794 (2019)

    Google Scholar 

  14. Maxion, R.A., Townsend, T.N.: Masquerade detection using truncated command lines. In: Proceedings International Conference on Dependable Systems and Networks, pp. 219–228. IEEE (2002)

    Google Scholar 

  15. Miller, S.: 2017 u.s. state of cybercrime highlights. Carnegie Mellon University’s Software Engineering Institute Blog, 17 January 2018.

  16. Pandey, D., Wang, H., Yin, X., Wang, K., Zhang, Y., Shen, J.: Automatic breast lesion segmentation in phase preserved dce-mris. Health Inf. Sci. Syst. 10 (2022).

  17. Paul, S., Mishra, S.: Lac: LSTM autoencoder with community for insider threat detection. In: 2020 the 4th International Conference on Big Data Research (ICBDR 2020), pp. 71–77 (2020)

    Google Scholar 

  18. PwC: Cybercrime survey 2020. PwC Official Website, 28 August 2021.

  19. Rasool, R., Ahmed, K., Anwar, Z., Wang, H., Ashraf, U., Rafiq, W.: Cyberpulse++: A machine learning based security framework for detecting link flooding attacks in software defined networks. International Journal of Intelligent Systems 2021, 1–28 (04 2021).

  20. Sarki, R., Ahmed, K., Wang, H., Zhang, Y., Wang, K.: Convolutional neural network for multi-class classification of diabetic eye disease. EAI Endorsed Trans. Scalable Inf. Syst. 9(4) (2021).

  21. Schonlau, M., DuMouchel, W., Ju, W.H., Karr, A.F., Theus, M., Vardi, Y.: Computer intrusion: detecting masquerades. Stat. Sci. 16, 58–74 (2001)

    MathSciNet  MATH  Google Scholar 

  22. Singh, R., Zhang, Y., Wang, H., Miao, Y., Ahmed, K.: Investigation of social behaviour patterns using location-based data - a melbourne case study. ICST Trans. Scalable Inf. Syst. 8, 166767 (2020).

    Article  Google Scholar 

  23. Sun, L., Ma, J., Wang, H., Zhang, Y., Yong, J.: Cloud service description model: an extension of USDL for cloud services. IEEE Trans. Serv. Comput. 11(2), 354–368 (2015)

    Article  Google Scholar 

  24. Sun, X., Li, M., Wang, H., Plank, A.: An efficient hash-based algorithm for minimal k-anonymity. In: Conferences in Research and Practice in Information Technology (CRPIT), vol. 74, pp. 101–107. Australian Computer Society Inc. (2008)

    Google Scholar 

  25. Sun, X., Wang, H., Li, J.: Satisfying privacy requirements: one step before anonymization. In: Zaki, M.J., Yu, J.X., Ravindran, B., Pudi, V. (eds.) PAKDD 2010. LNCS (LNAI), vol. 6118, pp. 181–188. Springer, Heidelberg (2010).

    Chapter  Google Scholar 

  26. Sun, X., Wang, H., Li, J., Pei, J.: Publishing anonymous survey rating data. Data Min. Knowl. Disc. 23(3), 379–406 (2011)

    Article  MathSciNet  MATH  Google Scholar 

  27. Theis, M., et al.: Common sense guide to mitigating insider threats (2019)

    Google Scholar 

  28. Tuor, A., Kaplan, S., Hutchinson, B., Nichols, N., Robinson, S.: Deep learning for unsupervised insider threat detection in structured cybersecurity data streams. arXiv preprint arXiv:1710.00811 (2017)

  29. Veličković, P., Cucurull, G., Casanova, A., Romero, A., Lio, P., Bengio, Y.: Graph attention networks. arXiv preprint arXiv:1710.10903 (2017)

  30. Vimalachandran, P., Liu, H., Lin, Y., Ji, K., Wang, H., Zhang, Y.: Improving accessibility of the Australian my health records while preserving privacy and security of the system. Health Inf. Sci. Syst. 8(1), 1–9 (2020)

    Article  Google Scholar 

  31. Wang, H., Cao, J., Zhang, Y.: A flexible payment scheme and its role-based access control. IEEE Trans. Knowl. Data Eng. 17(3), 425–436 (2005)

    Article  Google Scholar 

  32. Wang, H., Zhang, Y., Cao, J.: Effective collaboration with information sharing in virtual universities. IEEE Trans. Knowl. Data Eng. 21(6), 840–853 (2008)

    Article  Google Scholar 

  33. Wang, H., Zhang, Y., Cao, J., Varadharajan, V.: Achieving secure and flexible m-services through tickets. IEEE Trans. Syst. Man Cybern.-Part A: Syst. Hum. 33(6), 697–708 (2003)

    Article  Google Scholar 

  34. Wang, Y., Shen, Y., Wang, H., Cao, J., Jiang, X.: MTMR: ensuring mapreduce computation integrity with Merkle tree-based verifications. IEEE Trans. Big Data 4(3), 418–431 (2016)

    Article  Google Scholar 

  35. Wang, Y., Sun, Y., Liu, Z., Sarma, S.E., Bronstein, M.M., Solomon, J.M.: Dynamic graph CNN for learning on point clouds. ACM Trans. Graphics (tog) 38(5), 1–12 (2019)

    Article  Google Scholar 

  36. Xu, K., Hu, W., Leskovec, J., Jegelka, S.: How powerful are graph neural networks? arXiv preprint arXiv:1810.00826 (2018)

  37. Yin, J., Tang, M., Cao, J., Wang, H., You, M.: A real-time dynamic concept adaptive learning algorithm for exploitability prediction. Neurocomputing 472, 252–265 (2022)

    Article  Google Scholar 

  38. Yin, J., Tang, M., Cao, J., You, M., Wang, H., Alazab, M.: Knowledge-driven cybersecurity intelligence: software vulnerability co-exploitation behaviour discovery. IEEE Trans. Ind. Inform. (2022)

    Google Scholar 

  39. Yin, J., You, M., Cao, J., Wang, H., Tang, M.J., Ge, Y.-F.: Data-driven hierarchical neural network modeling for high-pressure feedwater heater group. In: Borovica-Gajic, R., Qi, J., Wang, W. (eds.) ADC 2020. LNCS, vol. 12008, pp. 225–233. Springer, Cham (2020).

    Chapter  Google Scholar 

  40. You, M., Yin, J., Wang, H., Cao, J., Miao, Y.: A minority class boosted framework for adaptive access control decision-making. In: Zhang, W., Zou, L., Maamar, Z., Chen, L. (eds.) WISE 2021. LNCS, vol. 13080, pp. 143–157. Springer, Cham (2021).

    Chapter  Google Scholar 

  41. You, M., et al.: A knowledge graph empowered online learning framework for access control decision-making. World Wide Web, pp. 1–22 (2022)

    Google Scholar 

  42. Yuan, F., Cao, Y., Shang, Y., Liu, Y., Tan, J., Fang, B.: Insider threat detection with deep neural network. In: Shi, Y., et al. (eds.) ICCS 2018. LNCS, vol. 10860, pp. 43–54. Springer, Cham (2018).

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Jiao Yin .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hong, W. et al. (2022). Graph Intelligence Enhanced Bi-Channel Insider Threat Detection. In: Yuan, X., Bai, G., Alcaraz, C., Majumdar, S. (eds) Network and System Security. NSS 2022. Lecture Notes in Computer Science, vol 13787. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-23019-6

  • Online ISBN: 978-3-031-23020-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics