Insider Threat Detection Using GCN and Bi-LSTM with Explicit and Implicit Graph Representations

Insider threat detection (ITD) remains a significant challenge in cybersecurity due to the concealed nature of malicious activities by trusted insiders. This paper introduces a novel post-hoc ITD framework that enhances detection capabilities by integrating explicit and implicit graph structures with a temporal component to analyse user behaviour effectively. We construct an explicit graph using predefined rules that capture user activities within an organisation’s network, providing insights into explicit relationships between actions. To address potential noise and sub-optimality in the explicit graph, we complement it with an implicit graph derived from feature similarities using the Gumbel-softmax trick, which refines the structure by leveraging underlying patterns. Both graphs are processed through separate Graph Convolutional Networks (GCNs) to produce node embeddings, which are then concatenated and refined using an attention mechanism to emphasise critical features for threat detection. These refined embeddings are subsequently fed into a bidirectional Long Short-Term Memory (Bi-LSTM) network to capture the temporal dynamics of user behaviour. The model flags activities as anomalous if their probability scores fall below a predefined threshold. Extensive evaluations on two CERT datasets, r5.2 and r6.2, demonstrate that our framework significantly outperforms state-of-the-art methods. On the r5.2 dataset, our model achieves an Area Under the Curve (AUC) of 98.62, a perfect Detection Rate (DR) of 100%, and a low False Positive Rate (FPR) of 0.05. For the more challenging r6.2 dataset, the model achieves an AUC of 88.48, a DR of 80.15%, and an FPR of 0.15. These results illustrate that combining explicit and implicit graph representations, along with advanced sequential modelling, leads to a robust ITD solution capable of effectively distinguishing between normal and abnormal activities, even in complex scenarios.