Signal Decomposition Reveals Structure in Insider Threat Detection under Sparse Temporal Data

TL;DR

This paper introduces a signal decomposition approach for insider threat detection in sparse temporal data, separating activity presence from magnitude to improve anomaly identification.

Contribution

It proposes a dual-channel autoencoder that decomposes activity signals, enhancing detection of sparse and intermittent insider threats without complex sequence modeling.

Findings

Short attacks are detected mainly through presence signals.

Longer attacks involve a magnitude component, improving detection.

Simple aggregation of extreme scores effectively recovers extended activity.

Abstract

Insider threat detection is difficult because malicious behavior is rare, irregular, and buried in long periods of inactivity. In enterprise audit data, most windows contain little activity, while attacks appear intermittently and range from brief events to sustained campaigns. Standard reconstruction-based models are therefore dominated by inactive regions and tend to learn baseline behavior rather than meaningful deviations. We separate activity presence from magnitude. Each window is decomposed into a binary mask indicating whether activity occurs and a value matrix capturing its intensity. A dual-channel autoencoder reconstructs both, with value loss applied only where activity is present, directing learning toward sparse structure. Using the CERT r5.2 dataset as a controlled setting, we examine how anomaly signal changes with temporal configuration. Short attacks are detected mainly through presence; longer attacks introduce a magnitude component; noise degrades magnitude reliability and shifts detection back toward presence. The balance between channels is not fixed and follows the data. At the campaign level, signal concentrates in a small number of anomalous windows. Simple aggregation that emphasizes extreme scores is sufficient to recover extended activity without explicit sequence modeling. Effective detection depends less on model complexity and more on aligning representation and objective with sparse temporal structure.