MambaITD: An Efficient Cross-Modal Mamba Network for Insider Threat Detection

TL;DR

MambaITD introduces a novel cross-modal network leveraging the Mamba state space model and adaptive fusion to enhance insider threat detection by modeling long-range dependencies and dynamically adjusting decision thresholds.

Contribution

The paper presents a new insider threat detection framework that improves modeling efficiency, feature fusion, and anomaly identification over existing methods, including Transformer-based approaches.

Findings

Outperforms traditional methods in detection accuracy

Enhances modeling efficiency and feature fusion capabilities

Effectively handles class imbalance and concept drift

Abstract

Enterprises are facing increasing risks of insider threats, while existing detection methods are unable to effectively address these challenges due to reasons such as insufficient temporal dynamic feature modeling, computational efficiency and real-time bottlenecks and cross-modal information island problem. This paper proposes a new insider threat detection framework MambaITD based on the Mamba state space model and cross-modal adaptive fusion. First, the multi-source log preprocessing module aligns heterogeneous data through behavioral sequence encoding, interval smoothing, and statistical feature extraction. Second, the Mamba encoder models long-range dependencies in behavioral and interval sequences, and combines the sequence and statistical information dynamically in combination with the gated feature fusion mechanism. Finally, we propose an adaptive threshold optimization method based on maximizing inter-class variance, which dynamically adjusts the decision threshold by analyzing the probability distribution, effectively identifies anomalies, and alleviates class imbalance and concept drift. Compared with traditional methods, MambaITD shows significant advantages in modeling efficiency and feature fusion capabilities, outperforming Transformer-based methods, and provides a more effective solution for insider threat detection.