{"id":"https://openalex.org/W4415191129","doi":"https://doi.org/10.48550/arxiv.2508.05696","title":"Log2Sig: Frequency-Aware Insider Threat Detection via Multivariate Behavioral Signal Decomposition","display_name":"Log2Sig: Frequency-Aware Insider Threat Detection via Multivariate Behavioral Signal Decomposition","publication_year":2025,"publication_date":"2025-08-06","ids":{"openalex":"https://openalex.org/W4415191129","doi":"https://doi.org/10.48550/arxiv.2508.05696"},"language":"en","primary_location":{"id":"pmh:oai:arXiv.org:2508.05696","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2508.05696","pdf_url":"https://arxiv.org/pdf/2508.05696","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"type":"preprint","indexed_in":["arxiv","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://arxiv.org/pdf/2508.05696","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5015711713","display_name":"Kaichuan Kong","orcid":"https://orcid.org/0000-0002-3228-8980"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Kong, Kaichuan","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101664358","display_name":"Dongjie Liu","orcid":"https://orcid.org/0000-0002-8857-816X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Liu, Dongjie","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5011077051","display_name":"Xiaobo Jin","orcid":"https://orcid.org/0000-0003-1671-1379"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jin, Xiaobo","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010114181","display_name":"Zhiying Li","orcid":"https://orcid.org/0000-0001-6056-9387"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Li, Zhiying","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5101926046","display_name":"Guanggang Geng","orcid":"https://orcid.org/0000-0002-5089-9929"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Geng, Guanggang","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5015711713"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9918000102043152,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9918000102043152,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.9847000241279602,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9708999991416931,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/insider-threat","display_name":"Insider threat","score":0.7228000164031982},{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.6007000207901001},{"id":"https://openalex.org/keywords/construct","display_name":"Construct (python library)","score":0.5651000142097473},{"id":"https://openalex.org/keywords/pattern-recognition","display_name":"Pattern recognition (psychology)","score":0.48739999532699585},{"id":"https://openalex.org/keywords/mode","display_name":"Mode (computer interface)","score":0.4871000051498413},{"id":"https://openalex.org/keywords/event","display_name":"Event (particle physics)","score":0.4832000136375427},{"id":"https://openalex.org/keywords/representation","display_name":"Representation (politics)","score":0.46650001406669617},{"id":"https://openalex.org/keywords/multivariate-statistics","display_name":"Multivariate statistics","score":0.45489999651908875},{"id":"https://openalex.org/keywords/decomposition","display_name":"Decomposition","score":0.38179999589920044}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7412999868392944},{"id":"https://openalex.org/C2776633304","wikidata":"https://www.wikidata.org/wiki/Q6038026","display_name":"Insider threat","level":3,"score":0.7228000164031982},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.6007000207901001},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.586899995803833},{"id":"https://openalex.org/C2780801425","wikidata":"https://www.wikidata.org/wiki/Q5164392","display_name":"Construct (python library)","level":2,"score":0.5651000142097473},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.48739999532699585},{"id":"https://openalex.org/C48677424","wikidata":"https://www.wikidata.org/wiki/Q6888088","display_name":"Mode (computer interface)","level":2,"score":0.4871000051498413},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.4832000136375427},{"id":"https://openalex.org/C2776359362","wikidata":"https://www.wikidata.org/wiki/Q2145286","display_name":"Representation (politics)","level":3,"score":0.46650001406669617},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.45719999074935913},{"id":"https://openalex.org/C161584116","wikidata":"https://www.wikidata.org/wiki/Q1952580","display_name":"Multivariate statistics","level":2,"score":0.45489999651908875},{"id":"https://openalex.org/C124681953","wikidata":"https://www.wikidata.org/wiki/Q339062","display_name":"Decomposition","level":2,"score":0.38179999589920044},{"id":"https://openalex.org/C78639753","wikidata":"https://www.wikidata.org/wiki/Q3318160","display_name":"Behavioral modeling","level":2,"score":0.38109999895095825},{"id":"https://openalex.org/C179717631","wikidata":"https://www.wikidata.org/wiki/Q2991667","display_name":"Multilayer perceptron","level":3,"score":0.37599998712539673},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3610999882221222},{"id":"https://openalex.org/C60908668","wikidata":"https://www.wikidata.org/wiki/Q690207","display_name":"Perceptron","level":3,"score":0.3382999897003174},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.3368000090122223},{"id":"https://openalex.org/C45273575","wikidata":"https://www.wikidata.org/wiki/Q578970","display_name":"Spectrogram","level":2,"score":0.31189998984336853},{"id":"https://openalex.org/C2778112365","wikidata":"https://www.wikidata.org/wiki/Q3511065","display_name":"Sequence (biology)","level":2,"score":0.3068000078201294},{"id":"https://openalex.org/C18555067","wikidata":"https://www.wikidata.org/wiki/Q8375051","display_name":"Joint (building)","level":2,"score":0.30320000648498535},{"id":"https://openalex.org/C83804111","wikidata":"https://www.wikidata.org/wiki/Q1063558","display_name":"Behavioral pattern","level":2,"score":0.2992999851703644},{"id":"https://openalex.org/C2779843651","wikidata":"https://www.wikidata.org/wiki/Q7390335","display_name":"SIGNAL (programming language)","level":2,"score":0.2973000109195709},{"id":"https://openalex.org/C168167062","wikidata":"https://www.wikidata.org/wiki/Q1117970","display_name":"Component (thermodynamics)","level":2,"score":0.2939000129699707},{"id":"https://openalex.org/C101738243","wikidata":"https://www.wikidata.org/wiki/Q786435","display_name":"Autoencoder","level":3,"score":0.2888999879360199},{"id":"https://openalex.org/C2778971194","wikidata":"https://www.wikidata.org/wiki/Q1664551","display_name":"Insider","level":2,"score":0.28459998965263367},{"id":"https://openalex.org/C118505674","wikidata":"https://www.wikidata.org/wiki/Q42586063","display_name":"Encoder","level":2,"score":0.2718999981880188},{"id":"https://openalex.org/C23224414","wikidata":"https://www.wikidata.org/wiki/Q176769","display_name":"Hidden Markov model","level":2,"score":0.2669000029563904},{"id":"https://openalex.org/C42355184","wikidata":"https://www.wikidata.org/wiki/Q1361088","display_name":"Matrix decomposition","level":3,"score":0.2662999927997589},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.26429998874664307},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.25519999861717224}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:oai:arXiv.org:2508.05696","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2508.05696","pdf_url":"https://arxiv.org/pdf/2508.05696","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},{"id":"doi:10.48550/arxiv.2508.05696","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2508.05696","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:arXiv.org:2508.05696","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2508.05696","pdf_url":"https://arxiv.org/pdf/2508.05696","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Insider":[0],"threat":[1],"detection":[2,58],"presents":[3],"a":[4,55,70,119,149,158],"significant":[5],"challenge":[6],"due":[7],"to":[8,34,83,123,135,147],"the":[9,36,100,112,128,137,168],"deceptive":[10],"nature":[11],"of":[12,73,106],"malicious":[13],"behaviors,":[14],"which":[15,89,154],"often":[16],"resemble":[17],"legitimate":[18],"user":[19,46,62,74,151],"operations.":[20],"However,":[21],"existing":[22],"approaches":[23],"typically":[24],"model":[25,101],"system":[26],"logs":[27,63],"as":[28],"flat":[29],"event":[30],"sequences,":[31],"thereby":[32],"failing":[33],"capture":[35,124],"inherent":[37],"frequency":[38,67,130],"dynamics":[39],"and":[40,109,171,184],"multiscale":[41],"disturbance":[42],"patterns":[43],"embedded":[44],"in":[45,181],"behavior.":[47,75],"To":[48],"address":[49],"these":[50],"limitations,":[51],"we":[52],"propose":[53],"Log2Sig,":[54],"robust":[56],"anomaly":[57,163],"framework":[59],"that":[60,175],"transforms":[61],"into":[64,157],"multivariate":[65],"behavioral":[66,91,107],"signals,":[68],"introducing":[69],"novel":[71],"representation":[72],"Log2Sig":[76,176],"employs":[77],"Multivariate":[78],"Variational":[79],"Mode":[80,86],"Decomposition":[81],"(MVMD)":[82],"extract":[84],"Intrinsic":[85],"Functions":[87],"(IMFs),":[88],"reveal":[90],"fluctuations":[92],"across":[93],"multiple":[94],"temporal":[95,121],"scales.":[96],"Based":[97],"on":[98,167],"this,":[99],"further":[102],"performs":[103],"joint":[104],"modeling":[105],"sequences":[108,115],"frequency-decomposed":[110],"signals:":[111],"daily":[113],"behavior":[114,152],"are":[116,132,144],"encoded":[117],"using":[118],"Mamba-based":[120],"encoder":[122],"long-term":[125],"dependencies,":[126],"while":[127],"corresponding":[129],"components":[131],"linearly":[133],"projected":[134],"match":[136],"encoder's":[138],"output":[139],"dimension.":[140],"These":[141],"dual-view":[142],"representations":[143],"then":[145],"fused":[146],"construct":[148],"comprehensive":[150],"profile,":[153],"is":[155],"fed":[156],"multilayer":[159],"perceptron":[160],"for":[161],"precise":[162],"detection.":[164],"Experimental":[165],"results":[166],"CERT":[169],"r4.2":[170],"r5.2":[172],"datasets":[173],"demonstrate":[174],"significantly":[177],"outperforms":[178],"state-of-the-art":[179],"baselines":[180],"both":[182],"accuracy":[183],"F1":[185],"score.":[186]},"counts_by_year":[],"updated_date":"2026-03-07T16:01:11.037858","created_date":"2025-10-15T00:00:00"}