TL;DR
This paper introduces RMSL, a weakly-supervised learning framework that uses multiple hyper-spheres and adaptive self-training to improve insider threat detection from sequence-level labels, reducing annotation costs and enhancing detection accuracy.
Contribution
The paper proposes a novel RMSL framework that leverages weak sequence-level labels and multiple hyper-spheres to effectively detect behavior-level insider threats, addressing annotation and ambiguity challenges.
Findings
Significant performance improvement over existing methods.
Effective use of weak labels for behavior-level anomaly detection.
Robust hyper-sphere representation enhances detection accuracy.
Abstract
Insider threat detection aims to identify malicious user behavior by analyzing logs that record user interactions. Due to the lack of fine-grained behavior-level annotations, detecting specific behavior-level anomalies within user behavior sequences is challenging. Unsupervised methods face high false positive rates and miss rates due to the inherent ambiguity between normal and anomalous behaviors. In this work, we instead introduce weak labels of behavior sequences, which have lower annotation costs, i.e., the training labels (anomalous or normal) are at sequence-level instead of behavior-level, to enhance the detection capability for behavior-level anomalies by learning discriminative features. To achieve this, we propose a novel framework called Robust Multi-sphere Learning (RMSL). RMSL uses multiple hyper-spheres to represent the normal patterns of behaviors. Initially, a one-class…
Peer Reviews
Decision·ICLR 2026 Conference Withdrawn Submission
I think this is an interesting paper. The behavior-level anomaly detection focus is interesting, and I think a situation where only sequence-level labels are available is realistic and well-motivated. The combination of normal-behavior modeling and multiple instance learning is clever and well-designed, and I think the authors' description is clear and well-laid out. Overall, I found the paper well-written and compelling.
Figure 1 is described as showing the setting you aim to address (WITD), but it's not ever really described. From looking at Figure 1, it seems as though the marked "ambiguous anomaly interval" is characterized by a decrease in behavior, as seen by the gap in the sequence of "behavior" page images to the left of it. This suggests that "behaviors" are some sort of temporally-annotated events. However, Section 2 makes it clear that time isn't being explicitly represented in behavior sequences, s
The paper is well-written and the reasoning behind the algorithmic decisions are sound. The set of ablation experiments is very good.
The main weakness of the paper is in the experiment methodology. These (among other comments) are elaborated in more details in the main comments below. 1. Equation 5: It appears that 'dual-scoring' is just another name for 'ensemble' (with two members). This is not very novel. We could even generalize to more than two to include more 'complementary perspectives'. 2. Line 220/221 Multi-Center loss: How was the number of hyper-spheres determined in the experiments? Is that auto determined or a
This work's primary strength is its pragmatic and cost-effective approach to a complex problem. By leveraging weak sequence-level labels instead of costly fine-grained annotations, it offers a feasible solution for real-world deployment. The proposed RMSL framework is methodologically robust, combining a strong, unsupervised starting point (a one-class classifier) with a sophisticated refinement process using multiple instance learning and adaptive self-training debiasing. This hybrid design eff
1.Dependence on weak label quality: The framework's performance is inherently tied to the quality and representativeness of the provided weak sequence-level labels. Noisy or biased weak labels could significantly degrade performance, a vulnerability not discussed. 2.Limited interpretability: The use of multiple hyper-spheres and a complex refinement process may result in a "black-box" model. The method likely lacks clear interpretability for why a specific behavior is flagged as anomalous, which
- Novel multi-sphere approach that better captures diverse normal behavior patterns compared to single-sphere methods - Well-designed three-stage progressive training strategy that systematically addresses different aspects of the learning problem - Dual-scoring mechanism combining classification separability and deviation from normal patterns provides comprehensive anomaly assessment
- The paper is somewhat difficult to read through with a lot of compound sentences in general. It would have been an easier job for the reader has there been a better and simple and sentences with active voice. However, was able to grasp atleast some of the ideas presented in the paper. - Major concern: Only evaluated on two datasets from the same source (CERT r4.2 and r5.2), raising serious questions about generalizability - Parameter sensitivity issues: different optimal \alpha values needed f
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
