Cybersecurity threat detection based on a UEBA framework using Deep Autoencoders
Jose Fuentes, Ines Ortega-Fernandez, Nora M. Villanueva, Marta Sestelo
TL;DR
This paper addresses the challenge of detecting cyber threats in enterprise environments by modeling normal user and entity behavior across numerical and textual data. It proposes a novel UEBA framework that combines Deep Autoencoders with Doc2Vec embeddings to create an explainable anomaly detector whose residuals provide interpretable insights into potential incidents. A theoretical contribution proves the equivalence of two common neural-network definitions, grounding the autoencoder design in universal approximation theory, while experiments on real financial-institution data and synthetic anomalies demonstrate robust detection and actionable explanations. The work suggests practical integration into security operations with residual-based reasoning to support root-cause analysis and reduces false positives by leveraging multimodal features and explainability, marking a step toward transparent, scalable threat detection in enterprise settings.
Abstract
User and Entity Behaviour Analytics (UEBA) is a broad branch of data analytics that attempts to build a normal behavioural profile in order to detect anomalous events. Among the techniques used to detect anomalies, Deep Autoencoders constitute one of the most promising deep learning models on UEBA tasks, allowing explainable detection of security incidents that could lead to the leak of personal data, hijacking of systems, or access to sensitive business information. In this study, we introduce the first implementation of an explainable UEBA-based anomaly detection framework that leverages Deep Autoencoders in combination with Doc2Vec to process both numerical and textual features. Additionally, based on the theoretical foundations of neural networks, we offer a novel proof demonstrating the equivalence of two widely used definitions for fully-connected neural networks. The experimental results demonstrate the proposed framework capability to detect real and synthetic anomalies effectively generated from real attack data, showing that the models provide not only correct identification of anomalies but also explainable results that enable the reconstruction of the possible origin of the anomaly. Our findings suggest that the proposed UEBA framework can be seamlessly integrated into enterprise environments, complementing existing security systems for explainable threat detection.
