Behavioural Biometrics and Continuous Authentication for Insider Threat Detection in Enterprise Networks

Identifying insider threats in modern enterprise environments presents a unique cybersecurity challenge. Although malicious activity may often appear to be legitimate user activity, it is difficult to recognize the distinction. This study presents an innovative approach to insider threat detection by analyzing enterprise activity logs for continuous authentication along with behavioural biometrics. Behavioural patterns, such as logins, file accesses, network interactions and emails, are analyzed to determine abnormal behaviours of users. The proposed system utilizes a hybrid deep learning architecture that includes a Long Short-Term Memory (LSTM) network and an autoencoder model to model temporal dependence of a user’s behaviour and to identify anomalies through reconstruction error analysis. The LSTM network captures user’s sequential activity and autoencoder determines variance from the user’s typical behavioural profile. The outputs of both models are aggregated using a unified behavioural risk scoring mechanism for continuous authentication and an ongoing assessment of insider threats. The experimental results from Insider Threat Dataset for Corporate Environments demonstrate that proposed approach is effective in classifying normal versus malicious behaviours of users. The model achieves of 97.65% an accuracy, of 96.35% a precision, of 99.05% a recall rate, of 97.68% an F1-score and a Receiver Operating Characteristic - Area Under Curve (ROC-AUC) score of 99.20%, which indicates a high level of detection capability and very low false positives. The findings support that a developed model is a viable solution for integrating behavioural modelling, detection of anomalies.