Cover
Vol. 1 No. 2 (2025)

Published: December 1, 2025

Pages: 82-93

Original Article

Enhancing User and Entity Behavior Analytics in SIEM Systems Using AI-Powered Anomaly Detection: A Data-Driven Simulation Approach

Mustafa Aljumaily 1 Hayder Abd 2 Elaf Majeed 3
1R&D Department, Daw Alfada Company, Baghdad, Iraq
2CEO, Daw Alfada, Baghdad, Iraq
3Mechatronics Engineering Department, University of Basrah, Basrah, Iraq
History
  • Received: July 24, 2025
  • Revised: August 5, 2025
  • Accepted: August 16, 2025
  • Available Online: December 1, 2025
DOI

https://doi.org/10.33971/ijmrai.1.2.11

Abstract

The growing sophistication of cyber threats exposes the limits of signature-based detection in Security Information and Event Management (SIEM) systems. User and Entity Behavior Analytics (UEBA) advances SIEM by enabling behavior-based anomaly detection, yet legacy approaches struggle with high false positives and poor adaptability to evolving threats. This research proposes an AI-driven UEBA framework that combines deep learning for modeling user behavior with graph-based tools to map system relationships, enhancing anomaly detection in enterprise environments. Using datasets such as CERT Insider Threat, UNSW-NB15, and TON_IoT, we simulate diverse behaviors and evaluate performance. Our Transformer-GNN ensemble achieved an F1-score of 0.90, reduced false positives by 40%, and cut incident triage time by 78% compared to rule-based SIEM. To support real-world use, we provide an open-source pipeline integrating with SIEM platforms via Kafka, Elastic search, and a modular ML inference layer. This work bridges AI research and deployable cybersecurity practice, advancing the development of adaptive, intelligent, and robust UEBA systems.

Keywords

References

  1. G. González-Granadillo, S. González-Zarzosa, and R. Diaz. "Security information and event management (SIEM): analysis, trends, and usage in critical infrastructures." Sensors, vol. 21, no. 14, pp. 1-28, 2021, https://doi.org/10.3390/s21144759
  2. S. Tariq, M. B. Chhetri, S. Nepal, and C. Paris, "Alert fatigue in security operations centers: Research challenges and opportunities." ACM Computing Surveys, vol.57, no. 9, pp. 1-38, 2025, https://doi.org/10.1145/3723158
  3. M. Raut, S. Dhavale, A. Singh, and A. Mehra, "Insider threat detection using deep learning: A review." 2020 3rd international conference on intelligent sustainable systems (ICISS). IEEE, 2020, https://doi.org/10.1109/ICISS49785.2020.9315932
  4. M. Du, F. Li, G. Zheng, and V. Srikumar, "Deeplog: Anomaly detection and diagnosis from system logs through deep learning." Proceedings of the 2017 ACM SIGSAC conference on computer and communications security. 2017, https://doi.org/10.1145/3133956.3134015
  5. B. Hartono, F. D. Silalahi, and M. Muthohir. "Transformers in Cybersecurity: Advancing Threat Detection and Response through Machine Learning Architectures." Journal of Technology Informatics and Engineering, vol. 3, no. 3, pp. 382-396, 2024, https://doi.org/10.51903/jtie.v3i3.211
  6. Y. Xie, H. Zhang, and M. Ali Babar. "Loggd: Detecting anomalies from system logs with graph neural networks." 2022 IEEE 22nd International conference on software quality, reliability and security (QRS). IEEE, 2022, https://doi.org/10.1109/QRS57517.2022.00039
  7. R. Zuech, T. M. Khoshgoftaar, and R. Wald, "Intrusion detection and big heterogeneous data: a survey." Journal of Big Data 2.1, 2015, https://doi.org/10.1186/s40537-015-0013-4
  8. N. Hubballi, and V. Suryanarayanan. "False alarm minimization techniques in signature-based intrusion detection systems: A survey." Computer Communications, vol. 49, pp. 1-17, 2014, https://doi.org/10.1016/j.comcom.2014.04.012
  9. M. Ring, S. Wunderlich, D. Scheuring, D. Landes, and A. Hotho, "A Survey of Network-Based Intrusion Detection Data Sets, Computers & Security.", vol.86, pp. 147-167, 2019, https://doi.org/10.1016/j.cose.2019.06.005
  10. A. McCarthy, E. Ghadafi, P. Andriotis, and P. Legg, "Functionality-preserving adversarial machine learning for robust classification in cybersecurity and intrusion detection domains: A survey." Journal of Cybersecurity and Privacy, vol. 2, no. 1, pp.154-190, 2022, https://doi.org/10.3390/jcp2010010
  11. V. Le, and H. Zhang, "Log-based anomaly detection with deep learning: How far are we?" Proceedings of the 44th international conference on software engineering, pp.1356-1367, 2022, https://doi.org/10.1145/3510003.3510155
  12. N. Shone, T. N. Ngoc, V. D. Phai, and Q. Shi, "A deep learning approach to network intrusion detection." IEEE transactions on emerging topics in computational intelligence, vol. 2, no. 1, pp. 41-50, 2018, https://doi.org/10.1109/TETCI.2017.2772792
  13. C. Feng, T. Li, and D. Chana, "Multi-level anomaly detection in industrial control systems via package signatures and LSTM networks." 2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2017, https://doi.org/10.1109/DSN.2017.34
  14. M. Aljumaily and H. Abd, "Interdisciplinary Approaches to Smart City Development: Integrating Engineering, Urban Planning, and Social Sciences with AI and Cybersecurity Governance", in International Journal of Mechatronics, Robotics, and Artificial Intelligence (IJMRAI), vol. 1, issue 1, pp. 11-18, June 2025, https://doi.org/10.33971/ijmrai.1.1.3
  15. H. Guo, S. Yuan, and X. Wu, "Logbert: Log anomaly detection via bert." 2021 international joint conference on neural networks (IJCNN). IEEE, 2021, https://doi.org/10.1109/IJCNN52387.2021.9534113
  16. Y. Jeong, E. Yang, J. H. Ryu, I. Park, and M. Kang, "Anomalybert: Self-supervised transformer for time series anomaly detection using data degradation scheme." arXiv preprint arXiv:2305.04468, 2023, https://doi.org/10.48550/arXiv.2305.04468
  17. R. Bing, G. Yuan, M. Zhu, F. Meng, H. Ma, and S. Qiao, "Heterogeneous graph neural networks analysis: a survey of techniques, evaluations and applications." Artificial Intelligence Review, vol. 56, no. 8, pp. 8003-8042, 2023, https://doi.org/10.1007/s10462-022-10375-2
  18. Šuškalo, Dario, "Comparative analysis of ibm qradar and wazuh for security information and event management." Ann. DAAAM Proc 34, 0096-0102, 2023, doi: 10.2507/34th.daaam.proceedings.014
  19. G. Nguyen, S. Dlugolinsky, V. Tran, and Á. L. García, "Network security AIOps for online stream data monitoring." Neural Computing and Applications Vol. 36, no. 24, pp. 14925-14949, 2024, https://doi.org/10.1007/s00521-024-09863-z
  20. T. Ahmad, M. Adnan, S. Rafi, M. A. Akbar, and A. Anwar, "MLOps-Enabled Security Strategies for Next-Generation Operational Technologies." Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering. 2024, https://doi.org/10.1145/3661167.3661283
  21. Z. Chen, J. Liu, W. Gu, Y. Su, and M. R. Lyu, "Experience report: Deep learning-based system log analysis for anomaly detection." arXiv preprint arXiv:2107.05908, 2021, https://doi.org/10.48550/arXiv.2107.05908.
  22. A. Golczynski, and J. A. Emanuello, "End-to-end anomaly detection for identifying malicious cyber behavior through NLP-based log embeddings." arXiv preprint arXiv:2108.12276, 2021, https://doi.org/10.48550/arXiv.2108.12276.
  23. CERT Insider Threat Dataset v6.2, Carnegie Mellon University SEI. [Online]. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099
  24. N. Moustafa, and J. Slay, "UNSW-NB15: a comprehensive data set for network intrusion detection systems (UNSW-NB15 network data set)." 2015 military communications and information systems conference (MilCIS). IEEE, 2015, https://doi.org/10.1109/MilCIS.2015.7348942
  25. A. Alsaedi, N. Moustafa, Z. Tari, A. Mahmood, and A. Anwar, "TON_IoT telemetry dataset: A new generation dataset of IoT and IIoT for data-driven intrusion detection systems." IEEE Access, vol. 8, pp. 165130-165150, 2020, https://doi.org/10.1109/ACCESS.2020.3022862