Cybersecurity threat detection based on a UEBA framework using Deep Autoencoders

Jose Fuentes; Ines Ortega-Fernandez; Nora M. Villanueva; Marta Sestelo; Jose Fuentes; Ines Ortega-Fernandez; Nora M. Villanueva; Marta Sestelo

doi:10.3934/math.20251043

AIMS Mathematics

2025, Volume 10, Issue 10: 23496-23517. doi: 10.3934/math.20251043

Previous Article Next Article

Research article Special Issues

Cybersecurity threat detection based on a UEBA framework using Deep Autoencoders

1.
Galician Research and Development Center in Advanced Telecommunications (Gradiant), 36214 Vigo, Spain
2.
Galician Center for Mathematical Research and Technology (CITMAga), 15782 Santiago de Compostela, Spain
3.
Universidade de Vigo, Department of Statistics and O.R. & SiDOR Group, 36310 Vigo, Spain

Received: 29 March 2025 Revised: 26 September 2025 Accepted: 30 September 2025 Published: 16 October 2025
MSC : 68M25, 68T07

The increasing sophistication of cyberattacks, especially insider and process-related anomalies, poses a major challenge to enterprises, as traditional rule-based or shallow anomaly detection systems often fail to capture complex behavioral patterns. User and Entity Behavior Analytics (UEBA) is a broad branch of data analytics that attempts to build a normal behavioral profile in order to detect anomalous events. Among the techniques used to detect anomalies, deep autoencoders constituted one of the most promising deep learning models on UEBA tasks, allowing explainable detection of security incidents that could lead to the leak of personal data, hijacking of systems, or access to sensitive business information. In this study, we introduced the first implementation of an explainable UEBA-based anomaly detection framework that leveraged deep autoencoders in combination with Doc2Vec, a neural network-based approach that learns the distributed representation of documents, to process both numerical and textual features. Additionally, based on the theoretical foundations of neural networks, we offered a novel proof demonstrating the equivalence of two widely used definitions for fully-connected neural networks. The experimental results demonstrated the proposed framework's capability to detect real and synthetic anomalies effectively generated from real attack data, showing that the models provided not only correct identification of anomalies but also explainable results that enabled the reconstruction of the possible origin of the anomaly. Compared to existing UEBA and anomaly detection approaches, the novelty of our framework lied in combining explainable multimodal feature processing with formal mathematical guarantees. Our findings suggested that the proposed UEBA framework can be seamlessly integrated into enterprise environments.
- anomaly detection,
- user and entity behavior analytics,
- autoencoders,
- deep learning,
- cybersecurity,
- cyber threat detection
Citation: Jose Fuentes, Ines Ortega-Fernandez, Nora M. Villanueva, Marta Sestelo. Cybersecurity threat detection based on a UEBA framework using Deep Autoencoders[J]. AIMS Mathematics, 2025, 10(10): 23496-23517. doi: 10.3934/math.20251043

Related Papers:

Abstract

The increasing sophistication of cyberattacks, especially insider and process-related anomalies, poses a major challenge to enterprises, as traditional rule-based or shallow anomaly detection systems often fail to capture complex behavioral patterns. User and Entity Behavior Analytics (UEBA) is a broad branch of data analytics that attempts to build a normal behavioral profile in order to detect anomalous events. Among the techniques used to detect anomalies, deep autoencoders constituted one of the most promising deep learning models on UEBA tasks, allowing explainable detection of security incidents that could lead to the leak of personal data, hijacking of systems, or access to sensitive business information. In this study, we introduced the first implementation of an explainable UEBA-based anomaly detection framework that leveraged deep autoencoders in combination with Doc2Vec, a neural network-based approach that learns the distributed representation of documents, to process both numerical and textual features. Additionally, based on the theoretical foundations of neural networks, we offered a novel proof demonstrating the equivalence of two widely used definitions for fully-connected neural networks. The experimental results demonstrated the proposed framework's capability to detect real and synthetic anomalies effectively generated from real attack data, showing that the models provided not only correct identification of anomalies but also explainable results that enabled the reconstruction of the possible origin of the anomaly. Compared to existing UEBA and anomaly detection approaches, the novelty of our framework lied in combining explainable multimodal feature processing with formal mathematical guarantees. Our findings suggested that the proposed UEBA framework can be seamlessly integrated into enterprise environments.

References

[1]	U. Inayat, M. F. Zia, S. Mahmood, H. M. Khalid, M. Benbouzid, Learning-based methods for cyber attacks detection in IoT systems: A survey on methods, analysis, and future prospects, Electronics, 11 (2022), 1502. https://doi.org/10.3390/electronics11091502 doi: 10.3390/electronics11091502
[2]	H. M. Khalid, S. M. Muyeen, J. C.-H. Peng, Cyber-attacks in a looped energy-water nexus: An inoculated sub-observer-based approach, IEEE Syst. J., 14 (2020), 2054–2065. https://doi.org/10.1109/JSYST.2019.2941759 doi: 10.1109/JSYST.2019.2941759
[3]	M. Shashanka, M.-Y. Shen, J. Wang, User and entity behavior analytics for enterprise security, 2016 IEEE International Conference on Big Data, 2016, 1867–1874. https://doi.org/10.1109/BigData.2016.7840805
[4]	D. Maher, Can artificial intelligence help in the war on cybercrime? Comput. Fraud Secur., 2017 (2017), 7–9. https://doi.org/10.1016/S1361-3723(17)30069-6
[5]	J. Voris, Y. Song, M. B. Salem, S. Hershkop, S. Stolfo, Active authentication using file system decoys and user behavior modeling: Results of a large scale study, Comput. Secur., 87 (2019), 101412. https://doi.org/10.1016/j.cose.2018.07.021 doi: 10.1016/j.cose.2018.07.021
[6]	M. Pusara, C. E. Brodley, User re-authentication via mouse movements, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, 2004, 1–8. https://doi.org/10.1145/1029208.1029210
[7]	P. Slipenchuk, A. Epishkina, Practical user and entity behavior analytics methods for fraud detection systems in online banking: A survey, Biologically Inspired Cognitive Architectures 2019, 2020, 83–93. https://doi.org/10.1007/978-3-030-25719-4_11
[8]	W. Meng, Y. Wang, D. S. Wong, S. Wen, Y. Xiang, Touchwb: Touch behavioral user authentication based on web browsing on smartphones, J. Netw. Comput. Appl., 117 (2018), 1–9. https://doi.org/10.1016/j.jnca.2018.05.010 doi: 10.1016/j.jnca.2018.05.010
[9]	A. G. Martín, M. Beltrán, A. Fernández-Isabel, I. Martín de Diego, An approach to detect user behavior anomalies within identity federations, Comput. Secur., 108 (2021), 102356. https://doi.org/10.1016/j.cose.2021.102356 doi: 10.1016/j.cose.2021.102356
[10]	D. Rumelhart, G. Hinton, R. Williams, Learning internal representations by error propagation, in Parallel Distributed Processing: Explorations in the Microstructure of Cognition, Cambridge: MIT Press, 1986,318–362.
[11]	I. Ortega-Fernandez, M. Sestelo, N. M. Villanueva, Explainable generalized additive neural networks with independent neural network training, Stat. Comput., 34 (2024), 6. https://doi.org/10.1007/s11222-023-10320-5 doi: 10.1007/s11222-023-10320-5
[12]	A. Morales-Forero, S. Bassetto, Case study: A semi-supervised methodology for anomaly detection and diagnosis, 2019 IEEE International Conference on Industrial Engineering and Engineering Management, 2019, 1031–1037. https://doi.org/10.1109/IEEM44572.2019.8978509
[13]	A. González-Muñiz, I. Díaz, A. A. Cuadrado, D. García-Pérez, D. Pérez, Two-step residual-error based approach for anomaly detection in engineering systems using variational autoencoders, Comput. Electr. Eng., 101 (2022), 108065. https://doi.org/10.1016/j.compeleceng.2022.108065 doi: 10.1016/j.compeleceng.2022.108065
[14]	N. Görnitz, One-class classification in the presence of point, collective, and contextual anomalies, PhD thesis, Technische Universität Berlin, 2019.
[15]	J. S. Flynn, C. Giannetti, H. Van Dijk, Anomaly detection of DC nut runner processes in engine assembly, AI, 4 (2023), 234–254. https://doi.org/10.3390/ai4010010 doi: 10.3390/ai4010010
[16]	R. R. Mauritz, F. P. J. Nijweide, J. Goseling, M. van Keulen, A probabilistic database approach to autoencoder-based data cleaning. Available from: https://doi.org/10.48550/arXiv.2106.09764.
[17]	S. Hawkins, H. He, G. Williams, R. Baxter, Outlier detection using replicator neural networks, In: Data Warehousing and Knowledge Discovery, Berlin, Heidelberg: Springer, 2002,170–180. https://doi.org/10.1007/3-540-46145-0_17
[18]	H. Wang, M. J. Bah, M. Hammad, Progress in outlier detection techniques: A survey, IEEE Access, 7 (2019), 107964–108000. https://doi.org/10.1109/ACCESS.2019.2932769 doi: 10.1109/ACCESS.2019.2932769
[19]	Z. Xiao, Q. Yan, Y. Amit, Likelihood regret: An out-of-distribution detection score for variational auto-encoder, Proceedings of the 34th International Conference on Neural Information Processing Systems, 2020, 1–12.
[20]	M. Ribeiro, A. E. Lazzaretti, H. S. Lopes, A study of deep convolutional auto-encoders for anomaly detection in videos, Pattern Recognit. Lett., 105 (2018), 13–22. https://doi.org/10.1016/j.patrec.2017.07.016 doi: 10.1016/j.patrec.2017.07.016
[21]	M. Sakurada, T. Yairi, Anomaly detection using autoencoders with nonlinear dimensionality reduction, Proceedings of the MLSDA 2014 2nd Workshop on Machine Learning for Sensory Data Analysis, 2014, 4–11. https://doi.org/10.1145/2689746.2689747
[22]	X. Wang, D. Pi, X. Zhang, H. Liu, C. Guo, Variational transformer-based anomaly detection approach for multivariate time series, Measurement, 191 (2022), 110791. https://doi.org/10.1016/j.measurement.2022.110791 doi: 10.1016/j.measurement.2022.110791
[23]	C. Zhou, R. C. Paffenroth, Anomaly detection with robust deep autoencoders, Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2017,665–674. https://doi.org/10.1145/3097983.3098052
[24]	I. Ortega-Fernandez, M. Sestelo, J. C. Burguillo, C. Piñón-Blanco, Network intrusion detection system for DDoS attacks in ICS using deep autoencoders, Wirel. Netw., 30 (2024), 5059–5075. https://doi.org/10.1007/s11276-022-03214-3 doi: 10.1007/s11276-022-03214-3
[25]	F. Rosenblatt, The perceptron: a probabilistic model for information storage and organization in the brain, Psychol. Rev., 65 (1958), 386–408. https://doi.org/10.1037/h0042519 doi: 10.1037/h0042519
[26]	H. N. Mhaskar, T. Poggio, Function approximation by deep networks, Commun. Pure Appl. Anal., 19 (2020), 4085–4095. https://doi.org/10.3934/cpaa.2020181 doi: 10.3934/cpaa.2020181
[27]	H. N. Mhaskar, T. Poggio, Deep vs. shallow networks: An approximation theory perspective, Anal. Appl., 14 (2016), 829–848. https://doi.org/10.1142/S0219530516400042 doi: 10.1142/S0219530516400042
[28]	F. Cano-Córdoba, S. Sarma, B. Subirana, Theory of intelligence with forgetting: Mathematical theorems explaining human universal forgetting using "forgetting neural networks", Technical Report CBMM Memo No. 071, Center for Brains, Minds and Machines (CBMM), MIT, 2017.
[29]	M. Leshno, V. Y. Lin, A. Pinkus, S. Schocken, Multilayer feedforward networks with a nonpolynomial activation function can approximate any function, Neural Netw., 6 (1993), 861–867. https://doi.org/10.1016/S0893-6080(05)80131-5 doi: 10.1016/S0893-6080(05)80131-5
[30]	P. Kidger, T. Lyons, Universal approximation with deep narrow networks, In: Proceedings of Thirty Third Conference on Learning Theory, PMLR, 2020, 2306–2327. Available from: https://proceedings.mlr.press/v125/kidger20a.html.
[31]	Q. Le, T. Mikolov, Distributed representations of sentences and documents, Proceedings of the 31st International Conference on Machine Learning, PMLR, 2014, 1188–1196. http://proceedings.mlr.press/v32/le14.html
[32]	T. Mikolov, K. Chen, G. Corrado, J. Dean, Efficient estimation of word representations in vector space, 2013. Available from: https://doi.org/10.48550/arXiv.1301.3781.
[33]	L. van der Maaten, G. Hinton, Visualizing data using t-SNE, J. Mach. Learn. Res., 9 (2008), 2579–2605.
[34]	B. Tian, Q. Su, J. Yu, Leveraging contaminated datasets to learn clean-data distribution with purified generative adversarial networks, Proceedings of the AAAI Conference on Artificial Intelligence, 2023, 9989–9996. https://doi.org/10.1609/aaai.v37i8.26191
[35]	J. Glasser, B. Lindauer, Bridging the gap: A pragmatic approach to generating insider threat data, 2013 IEEE Security and Privacy Workshops, 2013, 98–104. https://doi.org/10.1109/SPW.2013.37
[36]	S. M. Lundberg, S.-I. Lee, A unified approach to interpreting model predictions, In: Advances in Neural Information Processing Systems 30 (NIPS 2017), New York: Curran Associates Inc., 2017, 4765–4774.
[37]	M. T. Ribeiro, S. Singh, C. Guestrin, "Why should i trust you?": Explaining the predictions of any classifier, Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, 2016, 1135–1144. https://doi.org/10.1145/2939672.2939778
[38]	S. Wachter, B. D. Mittelstadt, C. Russell, Counterfactual explanations without opening the black box: Automated decisions and the gdpr, Harvard J. Law Technol., 31 (2018), 841–887.

Reader Comments

Your name:*

Email:*
© 2025 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)