DEEP LEARNING MODEL FOR PREDICTING COMPROMISED ACCOUNTS IN SECURITY EVENT MANAGEMENT SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2025.31.1050Keywords:
account compromise; user behavioral analytics; cybersecurity; cyber risks; adaptive event monitoring; Deep Learning; LSTM; Attention Mechanism; SIEM; UEBA.Abstract
In modern corporate information systems, the frequency of complex attacks aimed at compromising user accounts is increasing. Traditional security event management systems, based on correlation rules and signature analysis, demonstrate limited ability to predict potential incidents, as they do not account for temporal dependencies and user behavioral patterns. In this regard, the application of deep learning models capable of reproducing nonlinear relationships between authentication parameters and the probability of account compromise becomes relevant. This paper proposes a Deep Learning model for predicting compromise risk, built on a recurrent neural network of the LSTM type with an attention mechanism, which allows dynamic determination of the weight of temporal features in sequences of authentication events. The problem formalization involves minimizing a loss function that reflects the difference between the predicted probability of compromise and the actual state of the account. This approach increases the accuracy of anomaly detection and contributes to the construction of adaptive behavioral analytics within SIEM/UEBA architectures. The model implements the compromise risk prediction function as a task of minimizing a regularized loss function, which reflects the deviation between the predicted threat probability and the actual security state of the account. Optimization is performed using the Adam algorithm, which ensures stable convergence and the ability to generalize across heterogeneous datasets. The integration of the model into a SIEM environment creates a basis for context-oriented risk analysis, which aligns with the principles of Zero Trust Architecture (NIST SP 800-207, 2020; MITRE ATT&CK, v14, 2024) and the recommendations of the ENISA Threat Intelligence Framework (2023) for proactive real-time incident detection.
Downloads
References
Jurišić, M., Tomičić, I. & Grd, P. (2023). User Behavior Analysis for Detecting Compromised User Accounts: A Review Paper. Cybernetics and Information Technologies, 23(3), 2023. 102-113. https://doi.org/10.2478/cait-2023-0027.
Berman, D. S., Buczak, A. L., Chavis, J. S., & Corbett, C. L. (2019). A Survey of Deep Learning Methods for Cyber Security. Information, 10(4), 122. https://doi.org/10.3390/info10040122.
Vavryk Y., Opirskyy I. Artificial Intelligence: Cybersecurity of the New Generation. Ukrainian Scientific Journal of Information Security. 2024. Vol. 30, no. 2. P. 244–255. URL: https://jrnl.nau.edu.ua/index.php/Infosecurity/article/view/19235.
L. Lanuwabang, P. Sarasu, "Detection of Anomalies Based on User Behavioral Information: A Survey", International Journal of Wireless and Microwave Technologies(IJWMT), Vol.15, No.3, pp. 54-65, 2025. DOI:10.5815/ijwmt.2025.03.04.
Haoqi Huang, Ping Wang, Jiacheng Wang, Shahen Alexanian, and Dusit Niyato, Deep Learning Advancements in Anomaly Detection: A Comprehensive Survey, https://arxiv.org/html/2503.13195v1.
Ban, T., Takahashi, T., Ndichu, S., & Inoue, D. (2023). Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response. Applied Sciences, 13(11), 6610. https://doi.org/10.3390/app13116610.
Xia, S., et al. (2024). "MFAM-AD: An anomaly detection model for multivariate time series using attention mechanism to fuse multi-scale features." PeerJ Computer Science. https://peerj.com/articles/cs-2201/.
Qingning, L., et al. (2023). "Multi-Scale Anomaly Detection for Time Series with Attention Mechanism." Proceedings of the 40th International Conference on Machine Learning. https://proceedings.mlr.press/v189/qingning23a/qingning23a.pdf.
Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., ... & Polosukhin, I. (2017). Attention is all you need. Advances in neural information processing systems, 30. https://arxiv.org/abs/1706.03762.
LogLLM: Log-based Anomaly Detection Using Large Language Models. https://arxiv.org/html/2411.08561v1.
AI HOUSE. AI-екосистема України: таланти, компанії, освіта. URL: https://aihouse.org.ua/wp-content/uploads/2024/01/AI-Ecosystem-of-Ukraine-by-AI-HOUSE-x-Roosh-UA.pdf (дата звернення: 19.06.2024)
Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., Kaiser, Ł., & Polosukhin, I. (2017). Attention Is All You Need. Advances in Neural Information Processing Systems (NeurIPS 2017), 30, 5998–6008. DOI: 10.48550/arXiv.1706.03762
Cheng, J., Dong, L., & Lapata, M. (2021). Long Short-Term Memory-Networks for Machine Reading. Computational Linguistics, 47(2), 377–414. DOI: 10.1162/coli_a_00402
National Institute of Standards and Technology (NIST). (2023). NIST Special Publication 800-94 Rev. 2: Guide to Intrusion Detection and Prevention Systems (IDPS). Gaithersburg, MD: U.S. Department of Commerce. DOI: 10.6028/NIST.SP.800-94r2
Hybrid LSTM-Attention Architecture for Behavioral Anomaly Detection in Enterprise Networks / P. Zhuk et al. IEEE Access. 2024. Vol. 12. P. 118540–118552. URL: https://doi.org/10.1109/ACCESS.2024.3387512.
Rose, S., Borchert, O., Mitchell, S., & Connelly, S. NIST Special Publication 800-207: Zero Trust Architecture. Gaithersburg, MD: National Institute of Standards and Technology, 2020. DOI: 10.6028/NIST.SP.800-207
European Union Agency for Cybersecurity (ENISA). ENISA Threat Landscape 2023. Heraklion: ENISA Publications Office, 2023. ISBN 978-92-9204-640-4. URL: https://www.enisa.europa.eu/topics/threats/threat-landscape.
European Union Agency for Cybersecurity (ENISA). ENISA Threat Landscape 2024: Predictive Security Intelligence and AI-Driven Threat Analysis. Heraklion: ENISA Publications Office, 2024. ISBN 978-92-9204-675-0. DOI: 10.2824/0710888. URL: https://op.europa.eu/en/publication-detail/-/publication/e71394ea-85f0-11ef-a67d-01aa75ed71a1.
The MITRE Corporation. MITRE ATT&CK® Framework. Version 14. Bedford, MA: MITRE Engenuity, 2024. URL: https://attack.mitre.org/versions/v14/. Accessed: October 2024.
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Євген Живило, Юрій Кучма
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
