Chimera: Harnessing Multi-Agent LLMs for Automatic Insider Threat Simulation

TL;DR

Chimera is a novel multi-agent LLM framework that automatically simulates insider threats, creating realistic datasets to improve detection methods in sensitive enterprise environments.

Contribution

This paper introduces Chimera, the first multi-agent LLM system for generating realistic insider threat data, addressing data scarcity and enhancing detection benchmarks.

Findings

ChimeraLog is diverse and realistic, validated by human studies.

Existing ITD methods perform poorly on ChimeraLog, indicating higher realism.

Models trained on ChimeraLog generalize well despite distribution shifts.

Abstract

Insider threats pose a persistent and critical security risk, yet are notoriously difficult to detect in complex enterprise environments, where malicious actions are often hidden within seemingly benign user behaviors. Although machine-learning-based insider threat detection (ITD) methods have shown promise, their effectiveness is fundamentally limited by the scarcity of high-quality and realistic training data. Enterprise internal data is highly sensitive and rarely accessible, while existing public and synthetic datasets are either small-scale or lack sufficient realism, semantic richness, and behavioral diversity. To address this challenge, we propose Chimera, an LLM-based multi-agent framework that automatically simulates both benign and malicious insider activities and generates comprehensive system logs across diverse enterprise environments. Chimera models each agent as an individual employee with fine-grained roles and supports group meetings, pairwise interactions, and self-organized scheduling to capture realistic organizational dynamics. Based on 15 insider attacks abstracted from real-world incidents, we deploy Chimera in three representative data-sensitive organizational scenarios and construct ChimeraLog, a new dataset for developing and evaluating ITD methods. We evaluate ChimeraLog through human studies and quantitative analyses, demonstrating its diversity and realism. Experiments with existing ITD methods show substantially lower detection performance on ChimeraLog compared to prior datasets, indicating a more challenging and realistic benchmark. Moreover, despite distribution shifts, models trained on ChimeraLog exhibit strong generalization, highlighting the practical value of LLM-based multi-agent simulation for advancing insider threat detection.