User and Entity Behavior Analytics (UEBA) systems commonly detect insider threats by scoring fixed time windows of user activity for anomalous behavior. While this window-level paradigm has proven effective for identifying sharp behavioral deviations, it remains unclear how much information about longer-running attack campaigns is already present within individual windows, and how such information can be leveraged for campaign discovery. In this work, we study unsupervised window-level insider threat detection on the CERT r4.2 dataset and show that explicitly separating activity presence from activity magnitude yields substantial performance gains. We introduce a dual-channel convolutional autoencoder that reconstructs both a binary activity mask and corresponding activity values, allowing the model to focus representational capacity on sparse behavioral structure rather than dense inactive baselines. Across multiday attack campaigns lasting between one and seven days, the proposed approach achieves a window-level precision-recall AUC of 0.71, substantially exceeding standard unsupervised autoencoder baselines and enabling high-precision operating points with zero false alarms.
翻译:用户与实体行为分析(UEBA)系统通常通过评估固定时间窗口内的用户活动异常行为来检测内部威胁。尽管这种窗口级范式已被证明能有效识别突发性行为偏差,但关于长期攻击活动中的信息在多大程度上已存在于单个窗口内,以及如何利用此类信息进行攻击活动发现,目前仍不明确。本研究基于CERT r4.2数据集开展无监督窗口级内部威胁检测研究,结果表明:将活动存在性与活动强度进行显式分离可带来显著的性能提升。我们提出了一种双通道卷积自编码器,该模型能够同时重构二元活动掩码及对应的活动数值,使模型能将表征能力集中于稀疏的行为结构而非密集的非活跃基线。在持续1至7天的多日攻击活动中,所提方法实现了0.71的窗口级精确率-召回率曲线下面积,显著超越标准的无监督自编码器基线,并能在零误报条件下实现高精度检测。