Russian Federation
Modern insider threat detection systems face the problem of analyzing heterogeneous digital footprint data: action sequences, textual communication, and employee relationship graphs. Existing monolithic architectures cannot efficiently process all data types within a single model. This paper proposes an original hybrid architecture combining an LSTM module for temporal sequence analysis, a Transformer module for text processing, and a Graph Attention Network for interaction graph modeling. The key novelty lies in a two-level attention system: at the first level (feature-level attention), each module forms its own representation with weight coefficients for feature significance; at the second level (decision-level attention), a cross-attention mechanism aggregates module outputs into an integrated risk score. Experiments on the CMU-CERT r4.2 dataset show that the proposed architecture outperforms monolithic solutions (F1 = 0.89 versus 0.82 for Isolation Forest and 0.85 for gradient boosting), while two-level attention ensures interpretability through visualization of each module's contribution. The obtained results can be used in building UEBA systems with explainability requirements.
hybrid neural networks, LSTM, Transformer, Graph Attention Network, two-level attention, UEBA, insider threats, explainable AI
1. Shashanka M., Shen M.Yu., Vang Dzh. Analitika povedeniya pol'zovateley i suschnostey dlya obespecheniya bezopasnosti predpriyatiya // Mezhdunarodnaya konferenciya IEEE 2016 po bol'shim dannym (Big Data). – IEEE, 2016. – S. 1867-1874. DOI: https://doi.org/10.1109/BigData.2016.7840805
2. Le D.K., Cincir-Heyvud N., Heyvud M.I. Analiz urovney detalizacii dannyh dlya obnaruzheniya vnutrennih ugroz s ispol'zovaniem mashinnogo obucheniya // IEEE Transactions on Network and Service Management. – 2020. – Tom 17, № 1. – S. 30-44. DOI: https://doi.org/10.1109/TNSM.2020.2967721
3. Haydenrayh H.S., Vlahas P.R., Kumutsakos P. Dekonstrukciya rekurrentnosti, vnimaniya i strobirovaniya: issledovanie perenosimosti transformatorov i strobirovannyh rekurrentnyh neyronnyh setey v prognozirovanii dinamicheskih sistem // Preprint arXiv arXiv: 2410.02654. – 2024.
4. Entoni K., Millidzh B., Gloriozo P., Tokpanov Yu. Uchebnaya kulinarnaya kniga Zyphra // Zyphra. – 2024. – URL: https://www.zyphra.com/post/the-zyphra-training-cookbook (data obrascheniya: 18.02.2026).
5. Yang Z. i dr. Ierarhicheskie seti vnimaniya dlya klassifikacii dokumentov // Trudy NAACL-HLT. – 2016. – S. 1480-1489.
6. Hohrayter S., Shmidhuber Dzh. Dolgovremennaya kratkovremennaya pamyat' // Neyronnye vychisleniya. – 1997. – Tom 9, № 8. – S. 1735-1780. DOI: https://doi.org/10.1162/neco.1997.9.8.1735
7. Vasvani A. i dr. Vnimanie - eto vse, chto vam nuzhno // Dostizheniya v oblasti neyronnyh sistem obrabotki informacii. – 2017. – Tom 30. – S. 5998-6008.
8. Velichkovich P. i dr. Seti graficheskogo vnimaniya // Mezhdunarodnaya konferenciya po obucheniyu reprezentaciyam (ICLR). – 2018.
9. Lindauer B. Nabor dannyh dlya proverki insayderskih ugroz // Universitet Karnegi-Mellona. – 2020. – URL: https://kilthub.cmu.edu/articles/dataset/Insider_Threat_Test_Dataset/12841247/1 (data obrascheniya: 18.02.2026).
10. Glasser Dzh., Lindauer B. Preodolenie razryva: pragmatichnyy podhod k polucheniyu dannyh o vnutrennih ugrozah // Seminary IEEE po bezopasnosti i konfidencial'nosti v 2013 godu. – IEEE, 2013. – S. 98-104. DOI: https://doi.org/10.1109/SPW.2013.37
11. Lyu F.T., Tin K.M., Chzhou Z.H. Izolirovannyy les // Vos'maya mezhdunarodnaya konferenciya IEEE po intellektual'nomu analizu dannyh 2008 goda. – IEEE, 2008. – S. 413-422.
12. Lyu F.T., Tin K.M., Chzhou Z.H. Obnaruzhenie anomaliy na osnove izolyacii // ACM Transactions on Knowledge Discovery from Data. – 2012. – Tom 6, № 1. – S. 1-39.
13. Chen T., Gostrin S. XGBoost: Masshtabiruemaya sistema podderzhki dereva // Materialy 22-y Mezhdunarodnoy konferencii ACM SIGKDD po obnaruzheniyu znaniy i intellektual'nomu analizu dannyh. – 2016. – S. 785-794. DOI: https://doi.org/10.1145/2939672.2939785
14. Lundberg S.M., Li S.I. Edinyy podhod k interpretacii predskazaniy modeley // Dostizheniya v oblasti neyronnyh sistem obrabotki informacii. – 2017. – Tom 30. – S. 4765-4774.
15. Makmahan B. i dr. Effektivnoe izuchenie glubokih setey na osnove decentralizovannyh dannyh // Materialy 20-y Mezhdunarodnoy konferencii po iskusstvennomu intellektu i statistike (AISTATS). – 2017. – S. 1273-1282.



