Unveiling Anomalies: Leveraging Machine Learning for Internal User Behaviour Analysis – Top 10 Use Cases

Authors

  • Wassim Ahmad Department of Electronic and Telecommunication Engineering, Canadian Institute of Technology, Tirana, Albania

DOI:

https://doi.org/10.15157/IJITIS.2025.8.1.272-293

Keywords:

Anomaly Detection, Data Exfiltration, UBA, SIEM, Machine Learning, Insider Threats

Abstract

Insider threats pose a significant risk to organizations, as traditional Security Information and Event Management (SIEM) systems struggle to detect subtle, evolving anomalies in user behaviour. While machine learning (ML) offers promise, the absence of a structured approach to prioritize and validate high-impact threat scenarios limits its practical adoption. This research addresses this gap by systematically identifying and validating the top 10 critical insider threat use cases—including data exfiltration, privilege escalation, and lateral movement—through a methodology combining MITRE ATT&CK tactics, Verizon Data Breach Investigations Report (DBIR) statistics, and related research papers. We then integrate the Random Cut Forest (RCF) algorithm into the Wazuh/OpenSearch SIEM platform, tailoring its unsupervised learning capabilities to detect these prioritized threats in real time. By correlating ML-driven anomaly scores with rule-based alerts, our solution reduces false positives by 35% and achieves a 94% true positive rate for high-risk use cases like unauthorized access. Validation in a production environment confirms the framework’s efficacy, with detection times under 3 minutes for 80% of anomalies. Beyond technical integration, this work establishes a replicable blueprint for aligning ML models with operational priorities, empowering organizations to focus resources on the most damaging insider threats.

Downloads

Published

2025-03-11

How to Cite

Ahmad, W. (2025). Unveiling Anomalies: Leveraging Machine Learning for Internal User Behaviour Analysis – Top 10 Use Cases. International Journal of Innovative Technology and Interdisciplinary Sciences, 8(1), 272–293. https://doi.org/10.15157/IJITIS.2025.8.1.272-293