Clustering Insider Threat Behaviour: An Ultrametric Anomaly Detection System

Anger, aggression and confrontational behaviour (Greitzer et al., 2012) is one of 12 psychosocial precursors linked to malicious insider threat activity. Although there is not a given threshold at which these become a cause for concern, the manifestation of anger through aggressive language becomes relevant to indicate a potential insider threat, in particular when patterns outside of normal behaviour are observed. In previous work we have shown how an ultrametric (Murtagh et al., 2008, Contreras et al., 2012) can be used to create hierarchical clusters in constant algorithmic time. In this work we introduce the use of such ultrametric applied to textual data in order to cluster anomalous aggressive behaviour. Our interest lies in detecting anomalies that can be used in conjunction with other behavioural precursors (e.g. stress, network tra c, etc.) to detect an insider threat.