Profiling User Behavior to Identify Insider Threats in Enterprise Information Systems

Shantabhushana B M; Sudarsanan D; Praveen Kumar; Lokesh Lokesh; Mithun B M; Sandeep Kumar S; Rakesh V S

doi:10.1051/itmconf/20257901012

All issues

Volume 79 (2025)

ITM Web Conf., 79 (2025) 01012

Abstract

Error

The authentification system partialy failed, sorry for the inconvenience. Please try again later.

Open Access

Issue		ITM Web Conf. Volume 79, 2025 International Conference on Knowledge Engineering and Information Systems (KEIS-2025)


Article Number		01012
Number of page(s)		8
DOI		https://doi.org/10.1051/itmconf/20257901012
Published online		08 October 2025

ITM Web of Conferences 79, 01012 (2025)

Profiling User Behavior to Identify Insider Threats in Enterprise Information Systems

Shantabhushana B M¹, Sudarsanan D², Praveen Kumar³, Lokesh⁴, Mithun B M⁵, Sandeep Kumar S⁶ and Rakesh V S⁴^*

¹ Department of Computer Science and Engineering, A.G.M. Rural College of Engineering and Technology, Dharwad, India
² Department of Information Science and Engineering, Cambridge Institute of Technology, Bengaluru, India
³ Department of Computer Science and Engineering, Global Academy of Technology, Bengaluru, India
⁴ Department of Computer Science and Engineering, Cambridge Institute of Technology, Bengaluru, India
⁵ Department of Information Science and Engineering, A P S College of Engineering, Bengaluru, India
⁶ Department of Computer and Communication Engineering, NMAM Institute of Technology, Nitte (Deemed to be University), Nitte, Udupi, India

^* Corresponding author: rakesh.tech102@gmail.com

Abstract

Insider threats pose a significant challenge to enterprise information systems due to their subtle and context-dependent nature. Unlike external attacks, these threats emerge from authorized users whose behavior gradually deviates from established norms. This work presents a lightweight, interpretable framework for detecting insider threats through user behavior profiling. Session-based features such as login variability, off-hours activity, file access diversity, and USB bursts are extracted to characterize behavioral deviations over time. The framework employs Isolation Forest and One-Class SVM for anomaly detection, combining their outputs using a weighted score fusion strategy. Experiments were conducted on both a custom-generated synthetic dataset and the publicly available CERT Insider Threat Dataset v6.2. Results show that the fusion-based approach outperforms traditional baselines—including Z-score, Local Outlier Factor, and Autoencoders—achieving an F1-score of 0.89 on synthetic data and 0.83 on CERT, with corresponding AUC scores of 0.94 and 0.89. These findings confirm the effectiveness of combining interpretable features with ensemble anomaly detection in identifying insider risks, while maintaining compatibility with privacy-aware and distributed enterprise environments.

This is an Open Access article distributed under the terms of the Creative Commons Attribution License 4.0, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.

Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.

Initial download of the metrics may take a while.