کنفرانس بین المللی فناوری اطلاعات و دانش

صفحه اصلی / شانزدهمین کنفرانس بین المللی فناوری اطلاعات و دانش

Kalman Filter–Based Anomaly Detection for User Authentication Failures in Enterprise Logs

نویسندگان :

Somayeh Soltani¹ Hossein Nikdel²

1- دانشگاه تربت حیدریه 2- دانشگاه صنعتی شاهرود

کلمات کلیدی :

Anomaly detection،Brute-force attack،Time-series prediction،Kalman filter،Login failure

چکیده :

User authentication failures sometimes indicate malicious attempts such as brute-force or credential-stuffing. Unfortunately, simplistic threshold-based alarms yield high false-positive rates in dynamic enterprise environments. This paper presents a systematic study of Kalman filter–based anomaly detection applied to a 60-day real-world audit-log dataset. It compares four variants of the filter—simple Local Level (LL), Local Level with Trend (LLT), Local Level with Seasonal component (LLS), and Local Level with both Trend and Seasonal components (LLTS)—across multiple time-aggregation windows (1, 2, 8, and 24 hours). Each configuration is assessed using three complementary metrics: outlier count (detection sensitivity), coefficient of determination (R²), and root-mean-squared error (RMSE). Experimental results show that the LL variant with a 2-hour window achieves the best trade-off, yielding R² = 0.9894, RMSE = 5.97, and no detected outliers (i.e., zero false positives).