Log2Sig: Frequency-Aware Insider Threat Detection via Multivariate Behavioral Signal Decomposition

TL;DR

Log2Sig introduces a frequency-aware approach to insider threat detection by decomposing user logs into multiscale behavioral signals, enabling more accurate anomaly detection through joint modeling of sequences and frequency components.

Contribution

The paper presents Log2Sig, a novel framework that leverages multivariate variational mode decomposition to capture frequency dynamics in user logs for improved threat detection.

Findings

Outperforms state-of-the-art methods in accuracy and F1 score.

Effectively captures multiscale behavioral fluctuations.

Demonstrates robustness on CERT datasets.

Abstract

Insider threat detection presents a significant challenge due to the deceptive nature of malicious behaviors, which often resemble legitimate user operations. However, existing approaches typically model system logs as flat event sequences, thereby failing to capture the inherent frequency dynamics and multiscale disturbance patterns embedded in user behavior. To address these limitations, we propose Log2Sig, a robust anomaly detection framework that transforms user logs into multivariate behavioral frequency signals, introducing a novel representation of user behavior. Log2Sig employs Multivariate Variational Mode Decomposition (MVMD) to extract Intrinsic Mode Functions (IMFs), which reveal behavioral fluctuations across multiple temporal scales. Based on this, the model further performs joint modeling of behavioral sequences and frequency-decomposed signals: the daily behavior sequences are encoded using a Mamba-based temporal encoder to capture long-term dependencies, while the corresponding frequency components are linearly projected to match the encoder's output dimension. These dual-view representations are then fused to construct a comprehensive user behavior profile, which is fed into a multilayer perceptron for precise anomaly detection. Experimental results on the CERT r4.2 and r5.2 datasets demonstrate that Log2Sig significantly outperforms state-of-the-art baselines in both accuracy and F1 score.