A Consensus-Bayesian Framework for Detecting Malicious Activity in Enterprise Directory Access Graphs

TL;DR

This paper introduces a Bayesian framework that models enterprise directory access as a multi-level graph, detecting malicious activity by analyzing logical inconsistencies and opinion dynamics, with validated simulation results.

Contribution

It presents a novel consensus-based Bayesian approach combining opinion dynamics and logical perturbation detection for enterprise security.

Findings

Effective detection of logical anomalies in synthetic graphs

Robustness under dynamic perturbations demonstrated

Bayesian scoring improves anomaly detection accuracy

Abstract

This work presents a consensus-based Bayesian framework to detect malicious user behavior in enterprise directory access graphs. By modeling directories as topics and users as agents within a multi-level interaction graph, we simulate access evolution using influence-weighted opinion dynamics. Logical dependencies between users are encoded in dynamic matrices Ci, and directory similarity is captured via a shared influence matrix W. Malicious behavior is injected as cross-component logical perturbations that violate structural norms of strongly connected components(SCCs). We apply theoretical guarantees from opinion dynamics literature to determine topic convergence and detect anomaly via scaled opinion variance. To quantify uncertainty, we introduce a Bayesian anomaly scoring mechanism that evolves over time, using both static and online priors. Simulations over synthetic access graphs validate our method, demonstrating its sensitivity to logical inconsistencies and robustness under dynamic perturbation.