Spotting Risk From the Inside
The most expensive security problems often come from inside — an employee quietly copying files, abusing access, or doing something well outside their normal routine. The hard part isn't the response; it's noticing, when there are thousands of people and millions of routine actions to sift through.
The goal here was to flag the handful of users whose behavior breaks the normal pattern — without anyone writing a rulebook of what "suspicious" looks like. The model learns "normal" on its own and surfaces what doesn't fit.
The data was the CERT Insider Threat dataset — activity logs for 4,000 employees: logons and failed logons, file access, device and USB activity, and access to decoy "honeypot" files. Everything was rolled into one behavior profile per person, then three unsupervised methods were compared — Isolation Forest, K-Means clustering, and DBSCAN. None are told who the bad actors are; they simply measure how far each person sits from the crowd.
Isolation Forest flagged 165 unusual users, and proved the most consistent and explainable of the three. The single most anomalous employee accessed an extreme number of unique files — a z-score of 10, far beyond any peer — combined with heavy removable-media use and repeated access to decoy files. Several red flags, one person, surfaced automatically out of 4,000.
What this means for your business: every business has a "normal" — normal logins, normal access, normal spending, normal order patterns. Anomaly detection learns that normal automatically and flags the few cases that break it, with no rules to maintain. The same approach watches for fraud, theft, account misuse, or costly process errors — and points your team straight at what's worth a closer look.