A Consensus-Bayesian Framework for Detecting Malicious Activity in Enterprise Directory Access Graphs

Imagine a massive, bustling office building (the Enterprise) where thousands of employees (Users) constantly move between different rooms, filing cabinets, and digital lockers (Directories).

Normally, people stick to their own teams. The marketing team hangs out in the Marketing room; the engineers stay in the Engineering lab. They know who they trust, who they work with, and what files they usually touch. This is the "normal" flow of the building.

But what happens when a spy (a Malicious Actor) sneaks in? Or when an employee gets confused and starts wandering into rooms they've never entered before? Traditional security guards just look at the ID badges (encryption) or check the logs after the crime happens (forensics). This paper proposes a smarter way: a "Gossip Network" that spots trouble before it spreads.

Here is how the authors' system works, broken down into simple concepts:

1. The "Gossip" Map (Opinion Dynamics)

Think of every employee as having an "opinion" about what they should be doing.

The Normal State: In a healthy team, everyone agrees on the plan. If the Marketing team decides to work on a specific project, they all move in sync. Their "opinions" converge.
The Graph: The system draws a map showing who influences whom. If Alice usually asks Bob for help, there's a line connecting them. If Bob suddenly stops listening to Alice and starts listening to a stranger, the map changes.

2. The "Trust Circles" (Strongly Connected Components)

The system groups people into tight-knit circles (called SCCs).

Closed Circles: These are teams that only talk to each other. They have their own internal rules. If they all agree, they are stable.
Open Circles: These are teams that take advice from outside.
The Rule: As long as everyone in a circle follows the same "logic" (e.g., "We only open files from the server"), the group stays calm and stable.

3. The "Whistleblower" (Detecting the Anomaly)

The magic happens when someone breaks the rules.

The Scenario: Imagine a hacker (or a confused employee) starts accessing files they shouldn't. Suddenly, User A (who usually only talks to User B) starts taking orders from User Z (a stranger in a different department).
The Shift: This changes the "logic" of the group. The group's internal agreement breaks. Instead of everyone moving in harmony, they start arguing or moving in different directions.
The Signal: The system measures Variance. Think of this as the "noise level" in the room.
- Normal: Low noise. Everyone is humming the same tune.
- Anomaly: High noise. Someone is screaming a different song. The system sees this spike in "noise" (variance) and knows something is wrong.

4. The "Smart Detective" (Bayesian Scoring)

The system doesn't just scream "ALARM!" the second it hears a noise. It acts like a smart detective using Bayesian Logic (a way of updating beliefs based on new evidence).

The Prior: The detective starts with a hunch: "It's probably safe, but I'm watching." (Low probability of a crime).
The Evidence: Every time the "noise" (variance) gets louder, the detective updates their hunch.
- Small noise: "Maybe just a misunderstanding." (Probability goes up slightly).
- Loud, persistent noise: "Okay, this is definitely a break-in!" (Probability shoots up to 99%).
The Result: The system gives a score from 0 to 100%. If the score gets too high, it flags the user as malicious.

5. Why This is Better Than Old Methods

Old Way: "You accessed a file you never touched before. Arrest you!" (Too many false alarms; people change jobs and need new files).
This Way: "You accessed a new file, BUT you also stopped listening to your team, started listening to a stranger, and your whole team is now confused. That's suspicious."
It looks at the relationships, not just the single action. It understands that a team moving together is normal, but a team falling apart because of one person is a red flag.

The Big Picture

This paper builds a digital immune system for companies. Instead of just checking if a key fits a lock, it watches how the "cells" (users) interact. If a cell starts acting weird and infecting its neighbors, the system detects the "infection" (malicious activity) instantly by measuring how much the group's harmony is disrupted.

In short: It turns the chaotic noise of a busy office into a clear signal, spotting the bad guys by the way they disrupt the team's rhythm.

Here is a detailed technical summary of the paper "A Consensus-Bayesian Framework for Detecting Malicious Activity in Enterprise Directory Access Graphs."

1. Problem Statement

Enterprise security threats, particularly insider threats and behavioral anomalies, are becoming increasingly sophisticated. Traditional User and Entity Behavior Analytics (UEBA) often rely on static baselines or historical data, requiring frequent retraining as user behaviors shift. Furthermore, existing methods frequently fail to fully leverage the multi-level hierarchical structure of user-directory relationships (e.g., teams accessing shared repositories).

The core challenge is to develop an adaptive detection model that:

Models the logical dependencies between users and directories as a dynamic graph.
Detects deviations from normal consensus behavior without relying solely on static thresholds.
Quantifies uncertainty in real-time to distinguish between benign behavioral shifts (e.g., role changes) and malicious logical perturbations.

2. Methodology

The authors propose a Consensus-Bayesian Framework that fuses Opinion Dynamics theory with Bayesian Inference to model and detect anomalies in enterprise access graphs.

A. Graph Modeling

The system models the enterprise environment as a Multi-Level Interaction Graph $G(W, C)$ :

Directory Similarity Graph ( $G[W]$ ): A row-stochastic matrix $W$ captures content or behavior-based similarity between directories (topics).
User-Dependency Graphs ( $G[C_i]$ ): For each directory $D_i$ $D_{i}$ , a matrix $C_i$ $C_{i}$ encodes logical dependencies between users.
- Users are grouped into Strongly Connected Components (SCCs), representing natural clusters like development teams.
- SCCs are classified as Closed (internal influence only) or Open (receiving external influence).
- The matrix $C_i$ is dynamically updated based on observed access patterns (read/write frequencies).

B. Opinion Dynamics Formulation

The framework adapts consensus theorems from literature (specifically Ye et al. [9]) to model how user "opinions" (access behaviors) evolve:

Convergence Conditions: Under stable conditions, opinions within closed SCCs converge to a steady state.
Divergence Triggers: Anomalies are modeled as logical perturbations (e.g., a user suddenly accessing a directory they have no logical dependency on, or changing their self-dependency weights).
Theorems Applied:
- Theorem 2/3: Predict convergence for closed SCCs or singleton topics.
- Theorem 4: Handles open SCCs with external dependencies.
- Failure Modes: If the logical structure changes (e.g., $C_i$ matrices differ across agents in an SCC) or external inputs are inconsistent, the system diverges, failing to reach consensus.

C. Anomaly Detection Mechanism

The detection pipeline operates in three stages:

SCC Decomposition: The system recursively decomposes logic matrices into SCCs and assigns applicable theorems based on dependency structures.
Variance as a Signal: The system monitors the scaled opinion variance ( $\Delta v$ $Δ v$ ) across agents.
- Normal operation: Low, stable variance.
- Anomaly: A sudden spike in variance indicates structural disagreement or logic inconsistency.
Bayesian Scoring: To quantify uncertainty, a Bayesian update mechanism calculates an anomaly score $\pi_t$ $π_{t}$ :
$\pi_t = \frac{L \cdot \pi_{t-1}}{L \cdot \pi_{t-1} + (1-L)(1-\pi_{t-1})}$
- Likelihood ( $L$ ): Derived from the exponential mapping of the variance shift ( $\Delta v$ ).
- Prior ( $\pi_{t-1}$ ): Can be Static (fixed) or Online (updated recursively with the posterior), allowing the system to become more sensitive to cumulative divergence over time.

3. Key Contributions

Novel Framework: First to bridge Opinion Dynamics (typically used in social networks) with UEBA for cloud security, treating directories as "topics" and users as "agents."
Theoretical Guarantees: Utilizes formal convergence theorems to define the "normal" state of the system, making anomaly detection a matter of detecting consensus failure rather than just statistical outliers.
Dynamic Bayesian Scoring: Introduces an adaptive scoring mechanism that evolves over time, distinguishing between transient noise and persistent malicious structural shifts.
Multi-Level Graph Analysis: Explicitly models the hierarchy of user-directory interactions, capturing both local (user-to-user) and global (directory-to-directory) dependencies.

4. Experimental Results

The authors validated the framework using synthetic simulations:

Validation: Successfully replicated results from a foundational opinion dynamics paper [10], confirming the correctness of the convergence and divergence logic.
Anomaly Injection: Simulated an attack at time $T=5$ $T = 5$ where users in one SCC (D1–D3) began influencing users in a separate SCC (D4–D5) with tunable weights.
- Observation: As the influence weight ( $w_t$ ) increased, the system's opinion variance spiked, and the Bayesian anomaly score rose.
- Static vs. Online Priors: The Online Prior approach detected anomalies earlier and reacted more sharply to low-weight perturbations compared to the Static Prior, which tended to saturate early.
Robustness: The system demonstrated high sensitivity to logical inconsistencies (changes in $C_i$ matrices) even when the topological graph structure remained visually similar.

5. Significance and Future Work

Significance:
This work moves beyond static baselines by providing a proactive, theoretically grounded method for detecting insider threats. By framing security anomalies as "consensus failures" in a logical network, it offers a robust way to detect subtle behavioral drifts that traditional ML models might miss. The Bayesian component adds a crucial layer of uncertainty quantification, essential for reducing false positives in dynamic enterprise environments.

Challenges & Next Steps:

Scalability: Current matrix-based simulations are computationally intensive for thousands of users; future work requires optimization (e.g., lazy updates, distributed processing).
False Positives: Balancing sensitivity to anomalies with tolerance for legitimate role changes (e.g., team transfers) remains a challenge.
Integration: Future plans include integrating organizational context (roles, sensitivity levels), developing explainability tools (traceability of anomaly sources), and packaging the framework as a plug-in for SIEM/UEBA systems.

In conclusion, the paper presents a rigorous mathematical approach to enterprise security, transforming access logs into a dynamic opinion network where malicious activity is detected as a fundamental breakdown in logical consensus.