Artificial Intelligence-Based Insider-Threat Detection: A Hybrid Explainable Framework with Automated Response and Privilege Containment
Abdel Rahman Alkharabsheh, Ghaya Binsalma, Mahra Alharmi, Ruqia Alshateri, Shahad Altaee, Mousa SweidanInsider threats continue to be the most persistent and most destructive threat to cybersecurity; malicious or negligent users work only in the real-time restricted area of the organization and are gradually breaking the boundaries of company norms. Conventional rule-based and statistical detection methods have difficulty detecting inconspicuous, context-dependent, and ever-changing behavior, leading to detection delays and high false-positive rates. Our paper introduces an explainable AI-based Insider-Threat Detection (AIB-ITD) model that integrates enterprise telemetry—including email, web, logon/VPN, and file events—into a unified behavioral framework. The effectiveness of combining heterogeneous behavioral indicators observed in AIB-ITD is consistent with recent behavioral analytics implementations that have demonstrated the value of multimodal user-behavior profiling for insider-threat identification in enterprise environments. The proposed AIB-ITD framework is based on anomaly-driven processing, unsupervised models (Isolation Forest, PCA reconstruction, and Autoencoder) are combined with sequential modeling (with an LSTM Autoencoder) to model both static and temporal deviations in behavior. An ensemble strategy is applied to combine the outputs of these models to yield a probabilistic insider risk score. To improve transparent analysis and to help the analyst gain trust, SHapley Additive Explanations (SHAP) is used to keep every detection outcome transparent and interpretable using the features. It also integrates feature correlation analysis, static vs sequential-model comparisons, and SHAP stability assessment to validate methodological robustness and reproducibility. An experimental review of the hybrid ensemble using the SEI/CMU CERT Insider Threat Dataset reveals that it performs better than single models for anomaly detection and stability, especially with the inclusion of temporal patterns. The assessment prioritizes anomaly score consistency and reliable risk ranking, rather than classification accuracy, to better reflect real deployment scenarios. In addition, an Automated Response and Privilege Containment (ARPC) feature automatically converts risk scores to multilevel mitigation actions that serve to protect the privacy of the user as the least privileged policies are enforced promptly. The proposed model showed superior robustness, stability, and operational effectiveness to classical methods, especially in the presence of scarce labeled data. Through hybrid anomaly recognition, explainable AI and automated response, AIB-ITD is a practical and scalable solution for next-generation insider-threat detection in enterprise systems.