Abstract
Insider threats represent one of the most challenging categories of cybersecurity risk facing modern organizations. Traditional detection approaches based on fixed rules, static thresholds, and signature databases are not effective for capturing the subtle and evolving nature of insider behaviour. This work proposes and implements a multi-stage unsupervised analytical framework for insider threat detection based on large-scale NetFlow telemetry. The framework operates through five interconnected stages: memory-efficient chunk-based streaming ingestion of raw NetFlow records, hourly temporal segmentation of host-level traffic statistics, composite anomaly scoring combining logarithmically scaled byte volume and flow frequency, weighted host-to-host communication graph construction with greedy modularity maximization community detection, and the derivation of two community-aware behavioural metrics designed to identify hosts that are anomalous within their own peer group and hosts that exhibit structural bridge behaviour across community boundaries respectively. The results show that community-aware structural metrics reveal categories of anomalous behaviour that are entirely invisible to volume-based scoring alone, and that multi-day temporal analysis is essential for distinguishing transient operational events from persistent threat indicators.
Publication Date
5-2026
Document Type
Thesis
Student Type
Graduate
Degree Name
Cybersecurity (MS)
Department, Program, or Center
Computing Security, Department of
Advisor
Huda Saadeh
Recommended Citation
Alrazooqi, Rashed Hassan Nasser, "Adaptive Insider Threat Detection with Graph-Based Models" (2026). Thesis. Rochester Institute of Technology. Accessed from
https://repository.rit.edu/theses/12677
Campus
RIT Dubai
