Greenberg News

    Green Futures: Innovate, Sustain, Thrive

    Electronics, Vol. 15, Pages 248: A SIEM-Integrated Cybersecurity Prototype for Insider Threat Anomaly Detection Using Enterprise Logs and Behavioural Biometrics

    Greenberg     January 5, 2026 in News - 2 Minutes


    Electronics, Vol. 15, Pages 248: A SIEM-Integrated Cybersecurity Prototype for Insider Threat Anomaly Detection Using Enterprise Logs and Behavioural Biometrics

    Electronics doi: 10.3390/electronics15010248

    Authors:
    Mohamed Salah Mohamed
    Abdullahi Arabo

    Insider threats remain a serious concern for organisations in both public and private sectors. Detecting anomalous behaviour in enterprise environments is critical for preventing insider incidents. While many prior studies demonstrate promising results using deep learning on offline datasets, few address real-time operationalisation or calibrated alert control within a Security Information and Event Management (SIEM) workflow. This paper presents a SIEM-integrated prototype that fuses the Computer Emergency Response Team Insider Threat Test Dataset (CERT) enterprise logs (Logon, Device, HTTP, and Email) with behavioural biometrics from the Balabit mouse dynamics dataset. Per-modality one-dimensional convolutional neural network (1D CNN) branches are trained independently using imbalance-aware strategies, including downsampling, class weighting, and focal loss. A unified 20 × N feature schema ensures train–serve parity and consistent feature validation during live inference. Post-training calibration using Platt and isotonic regression enables analyst-controlled threshold tuning and stable alert budgeting inside the SIEM. The models are deployed in Splunk’s Machine Learning Toolkit (MLTK), where dashboards visualise anomaly timelines, risky users or hosts, and cross-stream overlaps. Evaluation emphasises operational performance, precision–recall balance, calibration stability, and throughput rather than headline accuracy. Results show calibrated, controllable alert volumes: for Device, precision ≈0.70 at recall ≈0.30 (PR-AUC = 0.468, ROC-AUC = 0.949); for Logon, ROC-AUC = 0.936 with an ultra-low false-positive rate at a conservative threshold. Batch CPU inference sustains ≈70.5 k windows/s, confirming real-time feasibility. This study’s main contribution is to demonstrate a calibrated, multi-modal CNN framework that integrates directly within a live SIEM pipeline. It provides a reproducible path from offline anomaly detection research to Security Operations Centre (SOC)-ready deployment, bridging the gap between academic models and operational Cybersecurity practice.



    Source link

    Mohamed Salah Mohamed www.mdpi.com

    Related Posts

    Texas clears the way for petrochemical expansion as experts warn of health risks
    January 7, 2026
    Symmetry, Vol. 18, Pages 106: Analysis of Wind Erosion Resistance Enhancement of Aeolian Sand by Microbially Induced Carbonate Precipitation Technology
    January 7, 2026
    Cancers, Vol. 18, Pages 189: Oligometastatic Bladder Cancer: Current Definitions, Diagnostic Challenges, and Evolving Therapeutic Strategies
    January 7, 2026

    Greenberg

    Learn More →
    This website uses cookies to improve user experience. By continuing to use the site, you consent to the use of cookies.