User and Entity Behaviour Analytics (UEBA) is a broad branch of data analytics that attempts to build a normal behavioural profile in order to detect anomalous events. Among the techniques used to detect anomalies, Deep Autoencoders constitute one of the most promising deep learning models on UEBA tasks, allowing explainable detection of security incidents that could lead to the leak of personal data, hijacking of systems, or access to sensitive business information. In this study, we introduce the first implementation of an explainable UEBA-based anomaly detection framework that leverages Deep Autoencoders in combination with Doc2Vec to process both numerical and textual features. Additionally, based on the theoretical foundations of neural networks, we offer a novel proof demonstrating the equivalence of two widely used definitions for fully-connected neural networks. The experimental results demonstrate the proposed framework capability to detect real and synthetic anomalies effectively generated from real attack data, showing that the models provide not only correct identification of anomalies but also explainable results that enable the reconstruction of the possible origin of the anomaly. Our findings suggest that the proposed UEBA framework can be seamlessly integrated into enterprise environments, complementing existing security systems for explainable threat detection.

翻译：用户与实体行为分析（UEBA）是数据分析的一个广泛分支，旨在构建正常行为画像以检测异常事件。在用于检测异常的技术中，深度自编码器是UEBA任务中最有前景的深度学习模型之一，能够对可能导致个人数据泄露、系统劫持或敏感商业信息访问的安全事件进行可解释的检测。在本研究中，我们首次实现了一个基于UEBA的可解释异常检测框架，该框架利用深度自编码器结合Doc2Vec处理数值和文本特征。此外，基于神经网络的理论基础，我们提出了一种新颖的证明，展示了两种广泛使用的全连接神经网络定义的等价性。实验结果表明，所提出的框架能够有效检测由真实攻击数据生成的真实和合成异常，表明模型不仅能正确识别异常，还能提供可解释的结果，从而重建异常的可能来源。我们的研究结果表明，所提出的UEBA框架可以无缝集成到企业环境中，补充现有安全系统以实现可解释的威胁检测。