Profiling User Behavior to Identify Insider Threats in Enterprise Information Systems

Insider threats pose a significant challenge to enterprise information systems due to their subtle and context-dependent nature. Unlike external attacks, these threats emerge from authorized users whose behavior gradually deviates from established norms. This work presents a lightweight, interpretable framework for detecting insider threats through user behavior profiling. Session-based features such as login variability, off-hours activity, file access diversity, and USB bursts are extracted to characterize behavioral deviations over time. The framework employs Isolation Forest and One-Class SVM for anomaly detection, combining their outputs using a weighted score fusion strategy. Experiments were conducted on both a custom-generated synthetic dataset and the publicly available CERT Insider Threat Dataset v6.2. Results show that the fusion-based approach outperforms traditional baselines—including Z-score, Local Outlier Factor, and Autoencoders—achieving an F1-score of 0.89 on synthetic data and 0.83 on CERT, with corresponding AUC scores of 0.94 and 0.89. These findings confirm the effectiveness of combining interpretable features with ensemble anomaly detection in identifying insider risks, while maintaining compatibility with privacy-aware and distributed enterprise environments.