Anomaly Detection in Network Traffic for Insider Threat Identification: A Comparative Study of Unsupervised and Supervised Machine Learning Approaches

Insider threats pose a significant and growing risk to organizational cybersecurity, with recent studies indicating a 47% increase in insider incidents from 2018 to 2022. This paper presents a comparative analysis of unsupervised and supervised machine learning approaches for detecting potential insider threats through network traffic anomaly identification. We develop and evaluate an Isolation Forest (unsupervised) and a Random Forest (supervised) model, training them on a simulated dataset representing six months of network logs from a mid-sized company. Our study introduces a unique feature set combining traditional network metrics with temporal and behavioral indicators, enhancing the models' detection capabilities. Results show that the Random Forest classifier outperforms the Isolation Forest, with F1-scores of 0.6425 and 0.4624, respectively. However, the unsupervised approach shows promise in scenarios lacking labeled data. Key findings reveal that increased connection frequency and data transfer volume are critical indicators of potential threats, with temporal patterns also playing a significant role. This study provides valuable insights into the strengths and limitations of each approach, offering practical implications for real-world digital forensics investigations. We contribute to the field by proposing a hybrid approach that leverages the strengths of both methods, potentially improving the accuracy and adaptability of insider threat detection systems. These findings pave the way for more robust, context-aware cybersecurity measures in the digital age.