You Chen,Steve Nyemba,Wen Zhang,Bradley Malin

DOI: https://doi.org/10.1186/2190-8532-1-5

2012-02-27

Abstract:Collaborative information systems (CIS) enable users to coordinate efficiently over shared tasks in complex distributed environments. For flexibility, they provide users with broad access privileges, which, as a side-effect, leave such systems vulnerable to various attacks. Some of the more damaging malicious activities stem from internal misuse, where users are authorized to access system resources. A promising class of insider threat detection models for CIS focuses on mining access patterns from audit logs, however, current models are limited in that they assume organizations have significant resources to generate label cases for training classifiers or assume the user has committed a large number of actions that deviate from "normal" behavior. In lieu of the previous assumptions, we introduce an approach that detects when specific actions of an insider deviate from expectation in the context of collaborative behavior. Specifically, in this paper, we introduce a specialized network anomaly detection model, or SNAD, to detect such events. This approach assesses the extent to which a user influences the similarity of the group of users that access a particular record in the CIS. From a theoretical perspective, we show that the proposed model is appropriate for detecting insider actions in dynamic collaborative systems. From an empirical perspective, we perform an extensive evaluation of SNAD with the access logs of two distinct environments: the patient record access logs a large electronic health record system (6,015 users, 130,457 patients and 1,327,500 accesses) and the editing logs of Wikipedia (2,394,385 revisors, 55,200 articles and 6,482,780 revisions). We compare our model with several competing methods and demonstrate SNAD is significantly more effective: on average it achieves 20-30% greater area under an ROC curve.

You Chen,Bradley Malin

DOI: https://doi.org/10.1145/1943513.1943524

Abstract:Collaborative information systems (CIS) are deployed within a diverse array of environments, ranging from the Internet to intelligence agencies to healthcare. It is increasingly the case that such systems are applied to manage sensitive information, making them targets for malicious insiders. While sophisticated security mechanisms have been developed to detect insider threats in various file systems, they are neither designed to model nor to monitor collaborative environments in which users function in dynamic teams with complex behavior. In this paper, we introduce a community-based anomaly detection system (CADS), an unsupervised learning framework to detect insider threats based on information recorded in the access logs of collaborative environments. CADS is based on the observation that typical users tend to form community structures, such that users with low a nity to such communities are indicative of anomalous and potentially illicit behavior. The model consists of two primary components: relational pattern extraction and anomaly detection. For relational pattern extraction, CADS infers community structures from CIS access logs, and subsequently derives communities, which serve as the CADS pattern core. CADS then uses a formal statistical model to measure the deviation of users from the inferred communities to predict which users are anomalies. To empirically evaluate the threat detection model, we perform an analysis with six months of access logs from a real electronic health record system in a large medical center, as well as a publicly-available dataset for replication purposes. The results illustrate that CADS can distinguish simulated anomalous users in the context of real user behavior with a high degree of certainty and with significant performance gains in comparison to several competing anomaly detection models.

Rui Wen,Jianyu Wang,Chunming Wu,Jian Xiong

DOI: https://doi.org/10.1145/3366424.3391266

2020-01-01

Abstract:Given a large graph with millions of vertices and different types, how can we spot anomalies and find potential adversaries in time? Most graph-based fraud detection algorithms focus on finding dense blocks, discovering local subgraphs, designing belief propagation, and latent factor models. However, as fraudsters in online social networks gradually become adversarial, distributed, and invisible, it is easy for them to evade traditional detection methods. Even worse, existing detection systems are fragile to the new attacks. Once attackers update their tragedies, they will be inefficient. Our focus is to detect potential adversaries as soon as possible. We design and propose ASA (Adversary Situation Awareness), a system that (a) uncovers potential adversaries in time, (b) utilizes heterogeneous information in the graph, and (c)is effective in real-world data. We do experiments on a heterogeneous graph including 198,541 nodes with five types and 224,384 edges. The result shows that ASA can spot potential adversaries and successfully recovers 60 of potential abnormal users within a few minutes. Additionally, after two months we deployed it, ASA could achieve 90 recall, which means ASA can well discover a small number of adversaries with a latent period in time.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Guang Yang,Shibo He,Zhiguo Shi

DOI: https://doi.org/10.1109/jiot.2016.2560518

IF: 10.6

2016-01-01

IEEE Internet of Things Journal

Abstract:The past few years have witnessed the dramatic popularity of large-scale social networks where malicious nodes detection is one of the fundamental problems. Most existing works focus on actively detecting malicious nodes by verifying signal correlation or behavior consistency. It may not work well in large-scale social networks since the number of users is extremely large and the difference between normal users and malicious users is inconspicuous. In this paper, we propose a novel approach that leverages the power of users to perform the detection task. We design incentive mechanisms to encourage the participation of users under two scenarios: 1) full information and 2) partial information. In full information scenario, we design a specific incentive scheme for users according to their preferences, which can provide the desirable detection result and minimize overall cost. In partial information scenario, assuming that we only have statistical information about users, we first transform the incentive mechanism design to an optimization problem, and then design the optimal incentive scheme under different system parameters by solving the optimization problem. We perform extensive simulations to validate the analysis and demonstrate the impact of system factors on the overall cost.

Junhong Kim,Minsik Park,Haedong Kim,Suhyoun Cho,Pilsung Kang,Kim,Park,Kim,Cho,Kang

DOI: https://doi.org/10.3390/app9194018

2019-09-25

Applied Sciences

Abstract:Insider threats are malicious activities by authorized users, such as theft of intellectual property or security information, fraud, and sabotage. Although the number of insider threats is much lower than external network attacks, insider threats can cause extensive damage. As insiders are very familiar with an organization’s system, it is very difficult to detect their malicious behavior. Traditional insider-threat detection methods focus on rule-based approaches built by domain experts, but they are neither flexible nor robust. In this paper, we propose insider-threat detection methods based on user behavior modeling and anomaly detection algorithms. Based on user log data, we constructed three types of datasets: user’s daily activity summary, e-mail contents topic distribution, and user’s weekly e-mail communication history. Then, we applied four anomaly detection algorithms and their combinations to detect malicious activities. Experimental results indicate that the proposed framework can work well for imbalanced datasets in which there are only a few insider threats and where no domain experts’ knowledge is provided.

Linghui Li,Yali Gao,Xiaoyong Li,Shui Yu,Jie Yuan,Ximing Li,Jia Jia

DOI: https://doi.org/10.1109/TIFS.2023.3245413

IF: 7.231

IEEE Transactions on Information Forensics and Security

Abstract:Insider threat is destructive and concealable, making addressing it a challenging task in cybersecurity. Most existing methods transform user behavior into sequential information and analyze user behavior while neglecting structural information among users, resulting in high false positives. To solve this problem, in this paper, we propose Dual-Domain Graph Convolutional Network (referred to as DD-GCN), a graph-based modularized method for high accuracy and adaptive insider threat detection. The central idea is to convert user features and structural information into heterogeneous graphs in the light of various relationships and take user behavior and relationship into account together. To this end, a weighted feature similarity mechanism is applied to balance the feature similarity of users and original linkages among them so as to generate the fused structure. Next, specific graph embeddings are extracted from the original topology structure and fused structure simultaneously, which convert behavior information into high-level representations. Furthermore, an attention mechanism is applied to learn the adaptive importance weights of the user’s features in the corresponding embedding. The combination and difference constraints are proposed to enhance the learned embeddings’ commonality and the ability to capture different information. Extensive experiments on two real-world datasets clearly show that our proposed DD-GCN extracts the most correlated information from structural topology and feature information substantially, and achieves improved accuracy with a clear margin.

Computer Science

Adarsh Kulkarni,Priya Mani,Carlotta Domeniconi

DOI: https://doi.org/10.48550/arXiv.1702.05809

2017-02-19

Social and Information Networks

Abstract:Insider trading is one of the numerous white collar crimes that can contribute to the instability of the economy. Traditionally, the detection of illegal insider trades has been a human-driven process. In this paper, we collect the insider tradings made available by the US Securities and Exchange Commissions (SEC) through the EDGAR system, with the aim of initiating an automated large-scale and data-driven approach to the problem of identifying illegal insider tradings. The goal of the study is the identification of interesting patterns, which can be indicators of potential anomalies. We use the collected data to construct networks that capture the relationship between trading behaviors of insiders. We explore different ways of building networks from insider trading data, and argue for a need of a structure that is capable of capturing higher order relationships among traders. Our results suggest the discovery of interesting patterns.

Pratik Chattopadhyay,Lipo Wang,Yap-Peng Tan

DOI: https://doi.org/10.1109/tcss.2018.2857473

2018-09-01

IEEE Transactions on Computational Social Systems

Abstract:An insider threat scenario refers to the outcome of a set of malicious activities caused by intentional or unintentional misuse of the organization’s systems, networks, data, and resources. Prevention of insider threat is difficult, since trusted partners of the organization are involved in it, who have authorized access to these confidential/sensitive resources. The state-of-the-art research on insider threat detection mostly focuses on developing unsupervised behavioral anomaly detection techniques with the objective of finding out anomalousness or abnormal changes in user behavior over time. However, an anomalous activity is not necessarily malicious that can lead to an insider threat scenario. As an improvement to the existing approaches, we propose a technique for insider threat detection from time-series classification of user activities. Initially, a set of single-day features is computed from the user activity logs. A time-series feature vector is next constructed from the statistics of each single-day feature over a period of time. The label of each time-series feature vector (whether malicious or nonmalicious) is extracted from the ground truth. To classify the imbalanced ground-truth insider threat data consisting of only a small number of malicious instances, we employ a cost-sensitive data adjustment technique that undersamples the nonmalicious class instances randomly. As a classifier, we employ a two-layered deep autoencoder neural network and compare its performance with other popularly used classifiers: random forest and multilayer perceptron. Encouraging results are obtained by evaluating our approach using the CMU Insider Threat Data, which is the only publicly available insider threat data set consisting of about 14-GB web-browsing logs, along with logon, device connection, file transfer, and e-mail log files. We observe that both deep autoencoder and random forest classifiers classify the data-adjusted time-series feature set with high precision, recall, and f-score. Although multilayer perceptron has a high recall, it suffers from a lower precision and f-score compared to the other two classifiers.

Xuelei Wang,Colin Fidge,Ghavameddin Nourbakhsh,Ernest Foo,Zahra Jadidi,Calvin Li

DOI: https://doi.org/10.1109/access.2022.3142022

IF: 3.9

2022-01-01

IEEE Access

Abstract:In recent decades, cyber security issues in IEC 61850-compliant substation automation systems (SASs) have become growing concerns. Many researchers have developed various strategies to detect malicious behaviours of SASs during the system operational stage, such as anomaly-based detection. However, most existing anomaly-based detection methods identify an abnormal behaviour by checking every single network packet without any association. These traditional methods cannot effectively detect “stealthy” attacks which modify legitimate messages slightly while imitating patterns of benign behaviours. In this paper, we present feature selection and extraction methods to generalise and summarise critical features when detecting insider attacks triggering from untrusted control devices within SASs. By applying a sliding window-based sequential classification mechanism, our detection method can detect anomalies across multiple devices without the need to learn datasets collected from all devices. Firstly, to generalise critical features and summarise systems’ behaviours so that it is unnecessary to collect all datasets, we selected and extracted six critical network features from generic object-oriented substation events (GOOSE) messages and seven summarised physical features based on the general architecture of the primary plant of distribution substations. After that, to improve detection accuracy and reduce computational costs, we applied sliding window algorithms to divide datasets into different overlapped window-based snippets. Then we applied a sequential classification model based on Bidirectional Long Short-Term Memory networks to train and test those datasets. As a result, our method can detect insider attacks across multiple devices accurately with a false-negative rate of less than 1%.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xi Xiangyu,Zhang Tong,Ye Wei,Wen Zhao,Zhang Shikun,Du Dongdong,Gao Qing

DOI: https://doi.org/10.1142/s0218194018400211

2018-01-01

Abstract:An intruder of a company’s network may use stolen login credentials to silently collect sensitive data. Such malicious user behavior is difficult to detect as long as it does not trigger access violation or data leak alert. In this paper, we propose to use an ensemble of three unsupervised anomaly detection algorithms, namely OCSVM, RNN and Isolation Forest, to detect abnormal user behavior patterns. Besides, an User Behavior Analytics (UBA) Platform is proposed to collect logs, extract features and conduct experiments. The experiment results indicate that our algorithm outperforms each individual algorithm with recall of 96.55% and precision of 91.24% on average, while both OCSVM and RNN suffer from anomalies in the training set, and [Formula: see text] produces more false positives and false negatives in prediction.

Anagi Gamachchi,Li Sun,Serdar Boztas

DOI: https://doi.org/10.48550/arXiv.1809.00141

2018-09-01

Cryptography and Security

Abstract:While most security projects have focused on fending off attacks coming from outside the organizational boundaries, a real threat has arisen from the people who are inside those perimeter protections. Insider threats have shown their power by hugely affecting national security, financial stability, and the privacy of many thousands of people. What is in the news is the tip of the iceberg, with much more going on under the radar, and some threats never being detected. We propose a hybrid framework based on graphical analysis and anomaly detection approaches, to combat this severe cybersecurity threat. Our framework analyzes heterogeneous data in isolating possible malicious users hiding behind others. Empirical results reveal this framework to be effective in distinguishing the majority of users who demonstrate typical behavior from the minority of users who show suspicious behavior.

Oksana Nikiforova,Andrejs Romanovs,Vitaly Zabiniako,Jurijs Kornienko

DOI: https://doi.org/10.1109/access.2024.3365424

IF: 3.9

2024-03-02

IEEE Access

Abstract:This paper explores the analysis of user behavior in information systems through audit records, creating a behavior model represented as a graph. The model captures actions over a specified period, facilitating real-time comparison to identify insider threats exploring anomalies detected in behavior models. "e-StepControl," developed by "ABC software" Ltd., incorporates this approach for monitoring user behavior in different business environments. The study proposes enhancing this solution with automatic user clustering, achieved by grouping individuals exhibiting similar behavior patterns using AI/ML algorithms. The research evaluates various clustering methods, discussing their suitability for grouping users based on their behavior. The subsequent step involves leveraging user class behavior models to identify anomalies by comparing an individual's actions with the behavior model expected in their specific user group. This extension aims to enhance the system's ability to detect potentially malicious activities, providing data security administrators with timely alerts in case of deviations from typical behavior.

computer science, information systems,telecommunications,engineering, electrical & electronic

Kexiong Fei,Jiang Zhou,Yucan Zhou,Xiaoyan Gu,Haihui Fan,Bo Li,Weiping Wang,Yong Chen

DOI: https://doi.org/10.1016/j.cose.2024.104126

IF: 5.105

2024-09-21

Computers & Security

Abstract:Insider threats have increasingly become a critical issue that modern enterprises and organizations faced. They are mainly initiated by insider attackers, which may cause disastrous impacts. Numerous research studies have been conducted for insider threat detection. However, most of them are limited due to a small number of malicious samples. Moreover, as existing methods often concentrate on feature information or statistical characteristics for anomaly detection, they still lack effective use of comprehensive textual content information contained in logs and thus will affect detection efficiency. We propose LaAeb , a novel unsupervised insider threat detection framework that leverages rich linguistic information in log contents to enable conventional methods, such as an Isolation Forest-based anomaly detection, to better detect insider threats besides using various features and statistical information. To find malicious acts under different scenarios, we consider three patterns of insider threats, including attention , emotion , and behavior anomaly . The attention anomaly detection analyzes textual contents of operation objects (e.g., emails and web pages) in logs to detect threats, where the textual information reflects the areas that employees focus on. When the attention seriously deviates from daily work, an employee may involve malicious acts. The emotion anomaly detection analyzes all dialogs between every two employees' daily communicated texts and uses the degree of negative to find potential psychological problems. The behavior anomaly detection analyzes the operations of logs to detect threats. It utilizes information acquired from attention and emotion anomalies as ancillary features, integrating them with features and statistics extracted from log operations to create log embeddings. With these log embeddings, LaAeb employs anomaly detection algorithm like Isolation Forest to analyze an employee's malicious operations, and further detects the employee's behavior anomaly by considering all employees' acts in the same department. Finally, LaAeb consolidates detection results of three patterns indicative of insider threats in a comprehensive manner. We implement the prototype of LaAeb and test it on CERT and LANL datasets. Our evaluations demonstrate that compared with state-of-the-art unsupervised methods, LaAeb reduces FPR by 50% to reach 0.05 on CERT dataset under the same AUC (0.93) , and gets the best AUC (0.97) with 0.06 higher value on LANL dataset.

computer science, information systems

Xiangrui Cai,Yang Wang,Sihan Xu,Hao Li,Ying Zhang,Zheli Liu,Xiaojie Yuan

2024-03-17

Abstract:Enterprises and organizations are faced with potential threats from insider employees that may lead to serious consequences. Previous studies on insider threat detection (ITD) mainly focus on detecting abnormal users or abnormal time periods (e.g., a week or a day). However, a user may have hundreds of thousands of activities in the log, and even within a day there may exist thousands of activities for a user, requiring a high investigation budget to verify abnormal users or activities given the detection results. On the other hand, existing works are mainly post-hoc methods rather than real-time detection, which can not report insider threats in time before they cause loss. In this paper, we conduct the first study towards real-time ITD at activity level, and present a fine-grained and efficient framework LAN. Specifically, LAN simultaneously learns the temporal dependencies within an activity sequence and the relationships between activities across sequences with graph structure learning. Moreover, to mitigate the data imbalance problem in ITD, we propose a novel hybrid prediction loss, which integrates self-supervision signals from normal activities and supervision signals from abnormal activities into a unified loss for anomaly detection. We evaluate the performance of LAN on two widely used datasets, i.e., CERT r4.2 and CERT r5.2. Extensive and comparative experiments demonstrate the superiority of LAN, outperforming 9 state-of-the-art baselines by at least 9.92% and 6.35% in AUC for real-time ITD on CERT r4.2 and r5.2, respectively. Moreover, LAN can be also applied to post-hoc ITD, surpassing 8 competitive baselines by at least 7.70% and 4.03% in AUC on two datasets. Finally, the ablation study, parameter analysis, and compatibility analysis evaluate the impact of each module and hyper-parameter in LAN. The source code can be obtained from

Cryptography and Security,Artificial Intelligence,Machine Learning

Mathieu Garchery,Michael Granitzer

DOI: https://doi.org/10.48550/arXiv.2007.06985

IF: 5.414

2020-07-14

Machine Learning

Abstract:Previous works on the CERT insider threat detection case have neglected graph and text features despite their relevance to describe user behavior. Additionally, existing systems heavily rely on feature engineering and audit data aggregation to detect malicious activities. This is time consuming, requires expert knowledge and prevents tracing back alerts to precise user actions. To address these issues we introduce ADSAGE to detect anomalies in audit log events modeled as graph edges. Our general method is the first to perform anomaly detection at edge level while supporting both edge sequences and attributes, which can be numeric, categorical or even text. We describe how ADSAGE can be used for fine-grained, event level insider threat detection in different audit logs from the CERT use case. Remarking that there is no standard benchmark for the CERT problem, we use a previously proposed evaluation setting based on realistic recall-based metrics. We evaluate ADSAGE on authentication, email traffic and web browsing logs from the CERT insider threat datasets, as well as on real-world authentication events. ADSAGE is effective to detect anomalies in authentications, modeled as user to computer interactions, and in email communications. Simple baselines give surprisingly strong results as well. We also report performance split by malicious scenarios present in the CERT datasets: interestingly, several detectors are complementary and could be combined to improve detection. Overall, our results show that graph features are informative to characterize malicious insider activities, and that detection at fine-grained level is possible.

David Savage,Xiuzhen Zhang,Xinghuo Yu,Pauline Chou,Qingmai Wang

DOI: https://doi.org/10.48550/arXiv.1608.00301

2016-08-01

Abstract:Anomalies in online social networks can signify irregular, and often illegal behaviour. Anomalies in online social networks can signify irregular, and often illegal behaviour. Detection of such anomalies has been used to identify malicious individuals, including spammers, sexual predators, and online fraudsters. In this paper we survey existing computational techniques for detecting anomalies in online social networks. We characterise anomalies as being either static or dynamic, and as being labelled or unlabelled, and survey methods for detecting these different types of anomalies. We suggest that the detection of anomalies in online social networks is composed of two sub-processes; the selection and calculation of network features, and the classification of observations from this feature space. In addition, this paper provides an overview of the types of problems that anomaly detection can address and identifies key areas of future research.

Social and Information Networks,Physics and Society

Rida Nasir,Mehreen Afzal,Rabia Latif,Waseem Iqbal

DOI: https://doi.org/10.1109/access.2021.3118297

IF: 3.9

2021-01-01

IEEE Access

Abstract:The most detrimental cyber attacks are usually not originated by malicious outsiders or malware but from trusted insiders. The main advantage insider attackers have over external elements is their ability to bypass security checks and remain undiscovered, this may cause serious damage to the organizational assets. This paper focuses on insider threat detection through behavioral analysis of users. User behavior is categorized as normal or malicious based on user activity. A series of events and activities are analyzed for feature selection to efficiently detect adversarial behavior. Selected feature vectors are used for model training during the implementation phase. A deep learning based approach is proposed that detects insiders with greater accuracy and low false positive rate. A rich event / user role based feature set containing Logon/Logoff events, User_role, Functional_unit etc are used for detection. The dataset used is the CMU CERT synthetic insider threat dataset r4.2. Performance of our proposed algorithm has been compared to other well-known techniques i.e. long short term Memory- convolutional neural network, random forest, long short term memory- recurrent neural network, one class support vector machine, Markov chain model, multi state long short term memory & convolutional neural network, gated recurrent unit & skipgram. The comparison proved that our novel approach produces relatively good accuracy(90.60%), precision(97%) and F1 Score (94%).

computer science, information systems,telecommunications,engineering, electrical & electronic

Singh, Malvika,Mehtre, B. M.,Sangeetha, S.,Govindaraju, Venu

DOI: https://doi.org/10.1007/s12652-023-04581-1

IF: 3.662

2023-03-06

Journal of Ambient Intelligence and Humanized Computing

Abstract:Insider threats constitute a major cause of security breaches in organizations. They are the employees/users of an organization, causing harm by performing any malicious activity. Most of the existing methods to detect insider threats are based on machine and deep learning and have the following limitations: they use predefined rules or stored signatures and fail to detect new or unknown threats; they require explicit feature engineering, which results in more false positives; they require a large amount of training data, and are computationally expensive. In this paper, an improved user behavior-based insider threat detection method is proposed using a hybrid learning approach that overcomes the above limitations. It uses bi-directional long-short-term memory for feature extraction, a feed-forward artificial neural network (using distance measurements) for feature selection, and a support vector machine for classification-normal user or malicious user. The genetic algorithm's fast global search strategy is used for the support vector machine's initial kernel selection. Finally, alerts are generated for each user based on their combined anomaly score. The proposed method is tested using the CMU-CERT r4.2 insider threat dataset, and its performance is evaluated using the following parameters: accuracy, precision, recall, f-measure, and area under curve-receiver operating characteristic curve. The results show a significant improvement over the existing methods.

computer science, information systems,telecommunications, artificial intelligence

Anthony Palladino,Christopher J. Thissen

DOI: https://doi.org/10.48550/arXiv.1812.02848

2018-12-06

Cryptography and Security

Abstract:Intrusion detection systems (IDSs) generate valuable knowledge about network security, but an abundance of false alarms and a lack of methods to capture the interdependence among alerts hampers their utility for network defense. Here, we explore a graph-based approach for fusing alerts generated by multiple IDSs (e.g., Snort, OSSEC, and Bro). Our approach generates a weighted graph of alert fields (not network topology) that makes explicit the connections between multiple alerts, IDS systems, and other cyber artifacts. We use this multi-modal graph to identify anomalous changes in the alert patterns of a network. To detect the anomalies, we apply the role-dynamics approach, which has successfully identified anomalies in social media, email, and IP communication graphs. In the cyber domain, each node (alert field) in the fused IDS alert graph is assigned a probability distribution across a small set of roles based on that node's features. A cyber attack should trigger IDS alerts and cause changes in the node features, but rather than track every feature for every alert-field node individually, roles provide a succinct, integrated summary of those feature changes. We measure changes in each node's probabilistic role assignment over time, and identify anomalies as deviations from expected roles. We test our approach using simulations including three weeks of normal background traffic, as well as cyber attacks that occur near the end of the simulations. This paper presents a novel approach to multi-modal data fusion and a novel application of role dynamics within the cyber-security domain. Our results show a drastic decrease in the false-positive rate when considering our anomaly indicator instead of the IDS alerts themselves, thereby reducing alarm fatigue and providing a promising avenue for threat intelligence in network defense.