Table of Contents
Fetching ...

Cybersecurity threat detection based on a UEBA framework using Deep Autoencoders

Jose Fuentes, Ines Ortega-Fernandez, Nora M. Villanueva, Marta Sestelo

TL;DR

This paper addresses the challenge of detecting cyber threats in enterprise environments by modeling normal user and entity behavior across numerical and textual data. It proposes a novel UEBA framework that combines Deep Autoencoders with Doc2Vec embeddings to create an explainable anomaly detector whose residuals provide interpretable insights into potential incidents. A theoretical contribution proves the equivalence of two common neural-network definitions, grounding the autoencoder design in universal approximation theory, while experiments on real financial-institution data and synthetic anomalies demonstrate robust detection and actionable explanations. The work suggests practical integration into security operations with residual-based reasoning to support root-cause analysis and reduces false positives by leveraging multimodal features and explainability, marking a step toward transparent, scalable threat detection in enterprise settings.

Abstract

User and Entity Behaviour Analytics (UEBA) is a broad branch of data analytics that attempts to build a normal behavioural profile in order to detect anomalous events. Among the techniques used to detect anomalies, Deep Autoencoders constitute one of the most promising deep learning models on UEBA tasks, allowing explainable detection of security incidents that could lead to the leak of personal data, hijacking of systems, or access to sensitive business information. In this study, we introduce the first implementation of an explainable UEBA-based anomaly detection framework that leverages Deep Autoencoders in combination with Doc2Vec to process both numerical and textual features. Additionally, based on the theoretical foundations of neural networks, we offer a novel proof demonstrating the equivalence of two widely used definitions for fully-connected neural networks. The experimental results demonstrate the proposed framework capability to detect real and synthetic anomalies effectively generated from real attack data, showing that the models provide not only correct identification of anomalies but also explainable results that enable the reconstruction of the possible origin of the anomaly. Our findings suggest that the proposed UEBA framework can be seamlessly integrated into enterprise environments, complementing existing security systems for explainable threat detection.

Cybersecurity threat detection based on a UEBA framework using Deep Autoencoders

TL;DR

This paper addresses the challenge of detecting cyber threats in enterprise environments by modeling normal user and entity behavior across numerical and textual data. It proposes a novel UEBA framework that combines Deep Autoencoders with Doc2Vec embeddings to create an explainable anomaly detector whose residuals provide interpretable insights into potential incidents. A theoretical contribution proves the equivalence of two common neural-network definitions, grounding the autoencoder design in universal approximation theory, while experiments on real financial-institution data and synthetic anomalies demonstrate robust detection and actionable explanations. The work suggests practical integration into security operations with residual-based reasoning to support root-cause analysis and reduces false positives by leveraging multimodal features and explainability, marking a step toward transparent, scalable threat detection in enterprise settings.

Abstract

User and Entity Behaviour Analytics (UEBA) is a broad branch of data analytics that attempts to build a normal behavioural profile in order to detect anomalous events. Among the techniques used to detect anomalies, Deep Autoencoders constitute one of the most promising deep learning models on UEBA tasks, allowing explainable detection of security incidents that could lead to the leak of personal data, hijacking of systems, or access to sensitive business information. In this study, we introduce the first implementation of an explainable UEBA-based anomaly detection framework that leverages Deep Autoencoders in combination with Doc2Vec to process both numerical and textual features. Additionally, based on the theoretical foundations of neural networks, we offer a novel proof demonstrating the equivalence of two widely used definitions for fully-connected neural networks. The experimental results demonstrate the proposed framework capability to detect real and synthetic anomalies effectively generated from real attack data, showing that the models provide not only correct identification of anomalies but also explainable results that enable the reconstruction of the possible origin of the anomaly. Our findings suggest that the proposed UEBA framework can be seamlessly integrated into enterprise environments, complementing existing security systems for explainable threat detection.
Paper Structure (11 sections, 1 theorem, 11 equations, 7 figures, 4 tables, 2 algorithms)

This paper contains 11 sections, 1 theorem, 11 equations, 7 figures, 4 tables, 2 algorithms.

Key Result

Proposition 1

Definitions defNN and defNN2 are equivalent.

Figures (7)

  • Figure 1: Architecture of the UEBA-based anomaly detector.
  • Figure 2: Network diagram of the proposed autoencoder.
  • Figure 3: t-SNE representation of Customer Management. (a) Normal test data and (b) corresponding residuals.
  • Figure 4: Anomaly detection rates as a function of anomaly intensity for each model for the Customer Management model.
  • Figure 5: Anomaly detection rates as a function of anomaly intensity for each model for the Executive Positions model.
  • ...and 2 more figures

Theorems & Definitions (6)

  • Definition 1
  • Definition 2
  • Proposition 1
  • proof
  • Definition 3
  • Definition 4