DOI: https://doi.org/10.5281/zenodo.19416030
VOLUME 1 – ISSUE 1
Ifeanyichukwu Uchechukwu Akpara*, Otugene Victor Bamigwojo
ABSTRACT
Insider threats represent one of the most challenging cybersecurity risks for small-to-medium enterprises (SMEs), primarily because malicious activities often originate from legitimate users with authorized access to internal systems. Traditional security monitoring mechanisms frequently rely on isolated log analysis and rule-based alerting, which are inadequate for identifying subtle behavioral anomalies that characterize insider misuse. This study proposes a log-correlation framework designed to enhance early detection of insider-threat indicators by integrating heterogeneous system logs and analysing behavioral relationships across multiple enterprise systems. The framework aggregates authentication logs, endpoint activity records, file access logs, and network connection logs into a centralized monitoring architecture where events are normalized and transformed into structured behavioral features. A correlation scoring model is introduced to quantify relationships among user activities using weighted anomaly indicators derived from multi-source log data. The framework further incorporates probabilistic threat estimation using logistic modeling to estimate the likelihood of insider-threat activity. Experimental evaluation was conducted using a simulated SME network environment consisting of 200 endpoints and multiple distributed log sources. Detection performance was evaluated using precision, recall, and F1-score metrics across several detection models, including rule-based monitoring, statistical anomaly detection, machine learning classifiers, and the proposed correlation-driven approach. Results demonstrate that the proposed log-correlation model improves detection accuracy and significantly reduces detection latency compared with traditional SIEM-based monitoring systems. The findings highlight the importance of multi-log behavioral analytics in identifying coordinated user activities that indicate potential insider misuse. The proposed framework provides a scalable and computationally efficient solution suitable for SME environments where security resources are limited, enabling organizations to detect insider threats earlier and respond more effectively to emerging security risks.
Keywords:
Insider threat detection, log correlation analytics, SME cybersecurity, behavioral anomaly detection, security event correlation, enterprise log monitoring.
