Insider Threat Detection Using Knowledge Graphs and RiskScore-Guided Graph Neural Networks

Van Duong Thi; Thang Tran Duc; The Vinh Nguyen; Huy-Minh Pham Luong

doi:10.48084/etasr.17187

Authors

Van Duong Thi Department of Network Systems, Infrastructure and Information Technology, Institute of Information Technology, Vietnam Academy of Science and Technology, Vietnam
Thang Tran Duc Department of Network Systems, Infrastructure and Information Technology, Institute of Information Technology, Vietnam Academy of Science and Technology, Vietnam
The Vinh Nguyen Department of Network Systems, Infrastructure and Information Technology, Institute of Information Technology, Vietnam Academy of Science and Technology, Vietnam
Huy-Minh Pham Luong Department of Network Systems, Infrastructure and Information Technology, Institute of Information Technology, Vietnam Academy of Science and Technology, Vietnam

Volume: 16 | Issue: 2 | Pages: 33712-33721 | April 2026 | https://doi.org/10.48084/etasr.17187

Received: 26 December 2025 | Revised: 3 February 2026 | Accepted: 13 February 2026 | Online: 4 April 2026

Corresponding author: Van Duong Thi

Abstract

Insider threats remain a critical challenge in enterprise environments due to the difficulty of distinguishing malicious actions from legitimate user activities. This paper proposes a RiskScore-guided Graph Neural Network (R-GNN) framework for insider threat detection. The framework builds a Knowledge Graph (KG) from heterogeneous enterprise audit logs to represent users, resources, and their interactions, and a formally defined RiskScore is computed from behavioral deviations and incorporated as a guidance signal within graph-based learning. The RiskScore aggregates domain-informed indicators, such as abnormal access frequency and temporal irregularities, into a unified semantic representation that complements the relational structure encoded in the KG. Experiments conducted on the CERT r4.2 insider threat dataset demonstrate that the proposed approach consistently outperforms existing graph-based and sequence-based baselines. Moreover, by integrating RiskScore as an explicit input to the GNN, the framework enables detection results to be interpretable in terms of contributing behavioral risk factors and relational context, providing a practical and effective solution for risk-aware and interpretable insider threat detection in enterprise environments.

Keywords:

RiskScore, insider threat detection, Knowledge Graph (KG), Graph Neural Network (GNN), explainable security analytics

Downloads

Download data is not yet available.

References

L. F. Sikos, "Cybersecurity knowledge graphs," Knowledge and Information Systems, vol. 65, no. 9, pp. 3511–3531, Sept. 2023. DOI: https://doi.org/10.1007/s10115-023-01860-3

Joint Task Force Transformation Initiative, "Guide for conducting risk assessments," National Institute of Standards and Technology, Gaithersburg, MD, USA, NIST SP 800-30r1, 2012.

International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), ISO/IEC 27005:2022 — Guidance on Managing Information Security Risks, ISO/IEC 27005:2022, Geneva, Switzerland, 2022. [Online]. Available: https://www.iso.org/standard/80585.html

W. Eberle and L. Holder, "Insider Threat Detection Using Graph-Based Approaches," in 2009 Cybersecurity Applications & Technology Conference for Homeland Security, Washington, DC, USA, 2009, pp. 237–241. DOI: https://doi.org/10.1109/CATCH.2009.7

I. Homoliak, F. Toffalini, J. Guarnizo, Y. Elovici, and M. Ochoa, "Insight Into Insiders and IT: A Survey of Insider Threat Taxonomies, Analysis, Modeling, and Countermeasures," ACM Computing Surveys, vol. 52, no. 2, Apr. 2019, Art. no. 30. DOI: https://doi.org/10.1145/3303771

M. N. Al-Mhiqani et al., "A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open Challenges, and Recommendations," Applied Sciences, vol. 10, no. 15, July 2020, Art. no. 5208. DOI: https://doi.org/10.3390/app10155208

M. Villarreal-Vasquez, G. Modelo-Howard, S. Dube, and B. Bhargava, "Hunting for Insider Threats Using LSTM-Based Anomaly Detection," IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 1, pp. 451–462, Jan. 2023. DOI: https://doi.org/10.1109/TDSC.2021.3135639

A. Tuor, S. Kaplan, B. Hutchinson, N. Nichols, and S. Robinson, "Deep Learning for Unsupervised Insider Threat Detection in Structured Cybersecurity Data Streams." arXiv, Dec. 15, 2017.

Y. Gong, S. Cui, S. Liu, B. Jiang, C. Dong, and Z. Lu, "Graph-based insider threat detection: A survey," Computer Networks, vol. 254, Dec. 2024, Art. no. 110757. DOI: https://doi.org/10.1016/j.comnet.2024.110757

B. Li, Q. Yang, C. Deng, and H. Pan, "CyberKG: Constructing a Cybersecurity Knowledge Graph Based on SecureBERT_Plus for CTI Reports," Informatics, vol. 12, no. 3, Sept. 2025, Art. no. 100. DOI: https://doi.org/10.3390/informatics12030100

X. Zhao, R. Jiang, Y. Han, A. Li, and Z. Peng, "A survey on cybersecurity knowledge graph construction," Computers & Security, vol. 136, Jan. 2024, Art. no. 103524. DOI: https://doi.org/10.1016/j.cose.2023.103524

Z. Wu, S. Pan, F. Chen, G. Long, C. Zhang, and P. S. Yu, "A Comprehensive Survey on Graph Neural Networks," IEEE Transactions on Neural Networks and Learning Systems, vol. 32, no. 1, pp. 4–24, Jan. 2021. DOI: https://doi.org/10.1109/TNNLS.2020.2978386

J. Zhou et al., "Graph neural networks: A review of methods and applications," AI Open, vol. 1, pp. 57–81, Jan. 2020. DOI: https://doi.org/10.1016/j.aiopen.2021.01.001

E. Yilmaz and O. Can, "Unveiling Shadows: Harnessing Artificial Intelligence for Insider Threat Detection," Engineering, Technology & Applied Science Research, vol. 14, no. 2, pp. 13341–13346, Apr. 2024. DOI: https://doi.org/10.48084/etasr.6911

J. Zhao, M. Shao, H. Wang, X. Yu, B. Li, and X. Liu, "Cyber threat prediction using dynamic heterogeneous graph learning," Knowledge-Based Systems, vol. 240, Mar. 2022, Art. no. 108086. DOI: https://doi.org/10.1016/j.knosys.2021.108086

J. Lu and R. K. Wong, "Insider Threat Detection with Long Short-Term Memory," in Proceedings of the Australasian Computer Science Week Multiconference, Sydney, Australia, 2019, pp. 1–10. DOI: https://doi.org/10.1145/3290688.3290692

W. Eberle and L. Holder, "Anomaly detection in data represented as graphs," Intelligent Data Analysis, vol. 11, no. 6, pp. 663–689, Nov. 2007. DOI: https://doi.org/10.3233/IDA-2007-11606

S. Yuan and X. Wu, "Deep learning for insider threat detection: Review, challenges and opportunities," Computers & Security, vol. 104, May 2021, Art. no. 102221. DOI: https://doi.org/10.1016/j.cose.2021.102221

W. L. Hamilton, R. Ying, and J. Leskovec, "Inductive Representation Learning on Large Graphs." arXiv, Sept. 10, 2018.

T. N. Kipf and M. Welling, "Semi-Supervised Classification with Graph Convolutional Networks," in Proceedings of the 5th International Conference on Learning Representations, Toulon, France, 2017.

"Insider Threat Test Dataset." Carnegie Mellon University, Sept. 30, 2020.

H. He and E. A. Garcia, "Learning from Imbalanced Data," IEEE Transactions on Knowledge and Data Engineering, vol. 21, no. 9, pp. 1263–1284, Sept. 2009. DOI: https://doi.org/10.1109/TKDE.2008.239

T. Fawcett, "An introduction to ROC analysis," Pattern Recognition Letters, vol. 27, no. 8, pp. 861–874, June 2006. DOI: https://doi.org/10.1016/j.patrec.2005.10.010