LLM-Driven Insider Threat Detection Inversion in Multi-Agent Simulation
A pre-registered study using a multi-agent LLM simulation found that an adaptive insider mole using OPSEC techniques had lower suspicion levels than innocent agents, contrary to predictions. The Human Behavioral Entropy Engine (HBEE) tested five conditions across 100 runs, revealing a detection inversion at T_60 with Cliff's delta = -0.694. The study challenges assumptions about behavioral residue in insider threat detection.
Key facts
- Pre-registered five-condition study with 100 runs (95 valid)
- Detection inversion: adaptive mole's suspicion in-degree lower than innocent agent at T_60
- Cliff's delta = -0.694, 95% BCa CI [-0.855, -0.519], Mann-Whitney p << 0.01
- Pre-registered prediction was opposite direction
- Adaptive OPSEC produced no detectable shift in UEBA rank under either defender mode
- Two detection signals: peer suspicion graph in-degree and UEBA rank
Entities
Institutions
- arXiv