{"id":"https://openalex.org/W7128929876","doi":"https://doi.org/10.1145/3788731.3788735","title":"A-UEBA: An Anomaly Heterogeneity Learning Framework Based on Multi-Endpoint User and Entity Behavior Analysis","display_name":"A-UEBA: An Anomaly Heterogeneity Learning Framework Based on Multi-Endpoint User and Entity Behavior Analysis","publication_year":2025,"publication_date":"2025-12-19","ids":{"openalex":"https://openalex.org/W7128929876","doi":"https://doi.org/10.1145/3788731.3788735"},"language":null,"primary_location":{"id":"doi:10.1145/3788731.3788735","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3788731.3788735","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 International Conference on Embodied Intelligence and Large Models","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3788731.3788735","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5082419637","display_name":"Xing Chen","orcid":"https://orcid.org/0000-0003-4593-1223"},"institutions":[{"id":"https://openalex.org/I4800084","display_name":"Southwest Jiaotong University","ror":"https://ror.org/00hn7w693","country_code":"CN","type":"education","lineage":["https://openalex.org/I4800084"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Xiaotong Chen","raw_affiliation_strings":["Southwest Jiaotong University, Chengdu, Sichuan, China"],"affiliations":[{"raw_affiliation_string":"Southwest Jiaotong University, Chengdu, Sichuan, China","institution_ids":["https://openalex.org/I4800084"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048413765","display_name":"Linfu Sun","orcid":"https://orcid.org/0009-0008-3448-6471"},"institutions":[{"id":"https://openalex.org/I4800084","display_name":"Southwest Jiaotong University","ror":"https://ror.org/00hn7w693","country_code":"CN","type":"education","lineage":["https://openalex.org/I4800084"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Linfu Sun","raw_affiliation_strings":["Southwest Jiaotong University, Chengdu, Sichuan, China"],"affiliations":[{"raw_affiliation_string":"Southwest Jiaotong University, Chengdu, Sichuan, China","institution_ids":["https://openalex.org/I4800084"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100351698","display_name":"He Wang","orcid":"https://orcid.org/0000-0003-1365-0304"},"institutions":[{"id":"https://openalex.org/I198091727","display_name":"Tiangong University","ror":"https://ror.org/00xsr9m91","country_code":"CN","type":"education","lineage":["https://openalex.org/I198091727"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"He Wang","raw_affiliation_strings":["Tiangong University, Tianjin, China"],"affiliations":[{"raw_affiliation_string":"Tiangong University, Tianjin, China","institution_ids":["https://openalex.org/I198091727"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5094002768","display_name":"Tong Gu","orcid":null},"institutions":[{"id":"https://openalex.org/I4800084","display_name":"Southwest Jiaotong University","ror":"https://ror.org/00hn7w693","country_code":"CN","type":"education","lineage":["https://openalex.org/I4800084"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Tong Gu","raw_affiliation_strings":["Southwest Jiaotong University, Chengdu, Sichuan, China"],"affiliations":[{"raw_affiliation_string":"Southwest Jiaotong University, Chengdu, Sichuan, China","institution_ids":["https://openalex.org/I4800084"]}]},{"author_position":"last","author":{"id":null,"display_name":"Zhiqiang Jiang","orcid":"https://orcid.org/0000-0002-0360-4825"},"institutions":[{"id":"https://openalex.org/I4800084","display_name":"Southwest Jiaotong University","ror":"https://ror.org/00hn7w693","country_code":"CN","type":"education","lineage":["https://openalex.org/I4800084"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Zhiqiang Jiang","raw_affiliation_strings":["Southwest Jiaotong University, Chengdu, Sichuan, China"],"affiliations":[{"raw_affiliation_string":"Southwest Jiaotong University, Chengdu, Sichuan, China","institution_ids":["https://openalex.org/I4800084"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5082419637"],"corresponding_institution_ids":["https://openalex.org/I4800084"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.7545158,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"22","last_page":"29"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.22120000422000885,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.22120000422000885,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.1670999974012375,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.10260000079870224,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/anomaly-detection","display_name":"Anomaly detection","score":0.718999981880188},{"id":"https://openalex.org/keywords/baseline","display_name":"Baseline (sea)","score":0.6736000180244446},{"id":"https://openalex.org/keywords/cluster-analysis","display_name":"Cluster analysis","score":0.5681999921798706},{"id":"https://openalex.org/keywords/metric","display_name":"Metric (unit)","score":0.5541999936103821},{"id":"https://openalex.org/keywords/precision-and-recall","display_name":"Precision and recall","score":0.5218999981880188},{"id":"https://openalex.org/keywords/adaptability","display_name":"Adaptability","score":0.47699999809265137},{"id":"https://openalex.org/keywords/analytics","display_name":"Analytics","score":0.45719999074935913},{"id":"https://openalex.org/keywords/feature","display_name":"Feature (linguistics)","score":0.45249998569488525},{"id":"https://openalex.org/keywords/anomaly","display_name":"Anomaly (physics)","score":0.4097000062465668}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7458000183105469},{"id":"https://openalex.org/C739882","wikidata":"https://www.wikidata.org/wiki/Q3560506","display_name":"Anomaly detection","level":2,"score":0.718999981880188},{"id":"https://openalex.org/C12725497","wikidata":"https://www.wikidata.org/wiki/Q810247","display_name":"Baseline (sea)","level":2,"score":0.6736000180244446},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5870000123977661},{"id":"https://openalex.org/C73555534","wikidata":"https://www.wikidata.org/wiki/Q622825","display_name":"Cluster analysis","level":2,"score":0.5681999921798706},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5591999888420105},{"id":"https://openalex.org/C176217482","wikidata":"https://www.wikidata.org/wiki/Q860554","display_name":"Metric (unit)","level":2,"score":0.5541999936103821},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.5338000059127808},{"id":"https://openalex.org/C81669768","wikidata":"https://www.wikidata.org/wiki/Q2359161","display_name":"Precision and recall","level":2,"score":0.5218999981880188},{"id":"https://openalex.org/C177606310","wikidata":"https://www.wikidata.org/wiki/Q5674297","display_name":"Adaptability","level":2,"score":0.47699999809265137},{"id":"https://openalex.org/C79158427","wikidata":"https://www.wikidata.org/wiki/Q485396","display_name":"Analytics","level":2,"score":0.45719999074935913},{"id":"https://openalex.org/C2776401178","wikidata":"https://www.wikidata.org/wiki/Q12050496","display_name":"Feature (linguistics)","level":2,"score":0.45249998569488525},{"id":"https://openalex.org/C12997251","wikidata":"https://www.wikidata.org/wiki/Q567560","display_name":"Anomaly (physics)","level":2,"score":0.4097000062465668},{"id":"https://openalex.org/C136389625","wikidata":"https://www.wikidata.org/wiki/Q334384","display_name":"Supervised learning","level":3,"score":0.3878999948501587},{"id":"https://openalex.org/C52622490","wikidata":"https://www.wikidata.org/wiki/Q1026626","display_name":"Feature extraction","level":2,"score":0.36890000104904175},{"id":"https://openalex.org/C148524875","wikidata":"https://www.wikidata.org/wiki/Q6975395","display_name":"F1 score","level":2,"score":0.33899998664855957},{"id":"https://openalex.org/C2780898871","wikidata":"https://www.wikidata.org/wiki/Q860554","display_name":"Performance metric","level":2,"score":0.32190001010894775},{"id":"https://openalex.org/C59404180","wikidata":"https://www.wikidata.org/wiki/Q17013334","display_name":"Feature learning","level":2,"score":0.321399986743927},{"id":"https://openalex.org/C153180895","wikidata":"https://www.wikidata.org/wiki/Q7148389","display_name":"Pattern recognition (psychology)","level":2,"score":0.3206000030040741},{"id":"https://openalex.org/C204241405","wikidata":"https://www.wikidata.org/wiki/Q461499","display_name":"Transformation (genetics)","level":3,"score":0.3163999915122986},{"id":"https://openalex.org/C108583219","wikidata":"https://www.wikidata.org/wiki/Q197536","display_name":"Deep learning","level":2,"score":0.30070000886917114},{"id":"https://openalex.org/C67186912","wikidata":"https://www.wikidata.org/wiki/Q367664","display_name":"Data modeling","level":2,"score":0.2978000044822693},{"id":"https://openalex.org/C60777511","wikidata":"https://www.wikidata.org/wiki/Q3045002","display_name":"Concept drift","level":3,"score":0.2955000102519989},{"id":"https://openalex.org/C8038995","wikidata":"https://www.wikidata.org/wiki/Q1152135","display_name":"Unsupervised learning","level":2,"score":0.2939000129699707},{"id":"https://openalex.org/C118505674","wikidata":"https://www.wikidata.org/wiki/Q42586063","display_name":"Encoder","level":2,"score":0.28870001435279846},{"id":"https://openalex.org/C2779585090","wikidata":"https://www.wikidata.org/wiki/Q3457762","display_name":"Resilience (materials science)","level":2,"score":0.2667999863624573},{"id":"https://openalex.org/C58973888","wikidata":"https://www.wikidata.org/wiki/Q1041418","display_name":"Semi-supervised learning","level":2,"score":0.26010000705718994}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3788731.3788735","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3788731.3788735","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 International Conference on Embodied Intelligence and Large Models","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3788731.3788735","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3788731.3788735","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2025 International Conference on Embodied Intelligence and Large Models","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":26,"referenced_works":["https://openalex.org/W2091067302","https://openalex.org/W2122646361","https://openalex.org/W2150847526","https://openalex.org/W2166602595","https://openalex.org/W2583862887","https://openalex.org/W3027374119","https://openalex.org/W3035252885","https://openalex.org/W3039513780","https://openalex.org/W3040266635","https://openalex.org/W3128515475","https://openalex.org/W3156436407","https://openalex.org/W3169815615","https://openalex.org/W3177379628","https://openalex.org/W3199704919","https://openalex.org/W3208881055","https://openalex.org/W4206503836","https://openalex.org/W4224433883","https://openalex.org/W4283457826","https://openalex.org/W4312220220","https://openalex.org/W4366147731","https://openalex.org/W4386066487","https://openalex.org/W4389331178","https://openalex.org/W4391934197","https://openalex.org/W4393186176","https://openalex.org/W4396763107","https://openalex.org/W4402773128"],"related_works":[],"abstract_inverted_index":{"User":[0],"and":[1,17,27,61,92,119],"entity":[2,28,62],"behavior":[3,29,63,73],"analytics":[4],"(UEBA)":[5],"serves":[6],"as":[7],"a":[8,22,76],"critical":[9,67],"tool":[10],"in":[11,38],"cybersecurity,":[12],"focusing":[13],"on":[14],"anomaly":[15,55,93,106],"detection":[16,19],"threat":[18],"by":[20,97,121,142,164],"conducting":[21],"thorough":[23],"analysis":[24,64],"of":[25,151],"user":[26,60,72],"patterns.":[30],"However,":[31],"UEBA":[32],"suffers":[33],"from":[34,71],"two":[35],"significant":[36],"challenges":[37],"its":[39],"implementation:":[40],"(i)":[41],"heterogeneous":[42],"data":[43],"sources,":[44],"(ii)":[45],"general":[46],"applicability.":[47],"To":[48],"address":[49],"these":[50],"challenges,":[51],"we":[52],"propose":[53],"the":[54,105,124,139,145,155,160],"heterogeneity":[56,107],"learning":[57,100,108,113],"framework":[58,109],"for":[59],"(A-UEBA).":[65],"Initially,":[66],"features":[68,81],"are":[69,82,95],"extracted":[70],"sequences":[74],"using":[75],"feature":[77],"extraction":[78],"function.":[79],"These":[80],"then":[83],"subjected":[84],"to":[85,127,154],"nonlinear":[86],"transformation":[87],"via":[88],"an":[89,111,149],"encoder":[90],"network,":[91],"scores":[94],"generated":[96],"integrating":[98],"supervised":[99],"with":[101],"clustering":[102],"techniques.":[103],"Furthermore,":[104],"incorporates":[110],"online":[112],"paradigm":[114],"that":[115,135],"enhances":[116],"model":[117,125],"adaptability":[118],"resilience":[120],"continuously":[122],"updating":[123],"parameters":[126],"reflect":[128],"incoming":[129],"data.":[130],"The":[131],"experimental":[132],"results":[133],"show":[134],"our":[136],"method":[137],"outperforms":[138],"optimal":[140],"baseline":[141,157],"22.5%.":[143],"Additionally,":[144],"recall":[146],"metric":[147],"shows":[148],"increase":[150],"39.8%":[152],"relative":[153],"best":[156],"approach,":[158],"while":[159],"F1":[161],"score":[162],"improves":[163],"38.8%.":[165]},"counts_by_year":[],"updated_date":"2026-03-25T23:56:10.502304","created_date":"2026-02-15T00:00:00"}