Chapter 8
15 min read
Section 36 of 98

User and Entity Behavior Analytics

ML for Intrusion Detection Systems

Introduction

While network intrusion detection focuses on traffic patterns, User and Entity Behavior Analytics (UEBA) shifts the lens to the humans and systems behind that traffic. Insider threats—whether malicious employees, compromised accounts, or negligent users—account for roughly 60% of data breaches, yet they are among the hardest threats to detect with traditional tools.

UEBA systems build behavioral profiles for every user and entity in the organization, establishing what "normal" looks like for each individual. When behavior deviates significantly from established baselines, the system generates risk-scored alerts that enable security teams to focus on the highest priority anomalies.

Building Behavioral Baselines

Effective UEBA begins with constructing comprehensive behavioral baselines for each user and entity. These baselines capture patterns across multiple dimensions: login times and locations, applications accessed, data volumes transferred, privilege usage patterns, and communication graphs.

The baseline learning period typically spans 30 to 90 days, during which the system observes and models normal behavior without generating alerts. During this period, the system must account for legitimate variations such as travel, project changes, and seasonal business cycles.

  • Temporal patterns: Typical login hours, session duration, activity frequency
  • Access patterns: Systems and data regularly accessed, privilege escalation frequency
  • Data movement: Typical download/upload volumes, file types, destinations
  • Communication patterns: Regular contacts, email volumes, collaboration tools usage
  • Device and location: Known devices, typical network locations, VPN usage

Time-Series Anomaly Detection

User behavior naturally exhibits time-series patterns—daily routines, weekly cycles, and seasonal trends. Time-series anomaly detection algorithms model these temporal patterns and flag deviations that exceed statistical thresholds.

LSTM (Long Short-Term Memory) networks excel at capturing long-range temporal dependencies in user behavior sequences. By training on sequences of user actions over time, LSTMs can predict expected behavior and flag significant deviations. A user who suddenly accesses sensitive financial databases at 3 AM after months of only using standard business applications during work hours would trigger an anomaly.

Simpler statistical methods like exponential weighted moving averages (EWMA) and seasonal decomposition (STL) are also effective and more interpretable. These methods work well for detecting volumetric anomalies—sudden changes in data access volumes, login frequencies, or privilege usage rates.

Insider Threat Indicators: The most dangerous insider threats often involve a gradual escalation of behavior rather than a sudden change. UEBA systems must detect both sharp deviations (compromised accounts) and slow drifts (employees planning data exfiltration over weeks or months).

Graph-Based Peer Comparison

One of the most powerful techniques in UEBA is peer group analysis. Rather than evaluating each user in isolation, graph-based approaches compare a user's behavior against their organizational peers—colleagues in the same department, role, or project team.

If a software engineer suddenly begins accessing HR databases, that behavior is anomalous compared to both their own baseline and the behavior of other software engineers. Graph algorithms can automatically discover peer groups based on shared access patterns, organizational structure, and communication networks.

Knowledge graphs connecting users, devices, applications, and data assets enable sophisticated risk scoring that considers the full context of an anomaly. A deviation that would be benign for a database administrator may be highly suspicious for a marketing analyst, and graph-based models capture these contextual relationships naturally.

UEBA Platforms in Practice

Several commercial platforms have emerged as leaders in the UEBA space. Splunk UBA (now part of Splunk Enterprise Security) uses unsupervised ML algorithms to detect anomalies across user, device, and application behavior. Microsoft Sentinel integrates UEBA directly into its cloud-native SIEM, leveraging Azure Active Directory data for identity-centric detection.

Exabeam and Securonix offer dedicated UEBA platforms with pre-built threat models for common insider threat scenarios including data exfiltration, privilege abuse, and account compromise. These platforms combine ML-based anomaly detection with rules-based threat models to reduce false positives while maintaining high detection rates.

  1. Splunk UBA: ML-driven anomaly detection with 65+ pre-built threat models
  2. Microsoft Sentinel: Cloud-native UEBA with deep Azure AD and M365 integration
  3. Exabeam: Session-based timeline analysis with automated investigation playbooks
  4. Securonix: Risk-scored UEBA with behavior-based threat chains for insider threat detection
Loading comments...
PreviousTable of ContentsNext