Anomaly Detection through Behavior Analysis: A Deep Learning Approach for Identifying Unusual User Activities

In the potential high-risk and threat cataloguing world of increasing cyber sophistication and behaviour, user activity anomaly detection is one tool from the protection arsenal to call upon. In this paper, we propose a multi-stage anomaly detection pipeline, which integrates unsupervised learning techniques, deep features and adaptive inference to reveal abnormal behaviour in a network environment, without relying on the raw attack labels. The method starts with the pre-processing and clustering of the data by K-means to divide similar behaviour profiles. Local Outlier Factor (LOF) is used afterwards to separate anomalies by local density differences. A ResNet-like deep learning model, enriched with Efficient Channel Attention (ECA), leverages hierarchical behavioural features, whilst Test-Time Training (TTT) supports instant model adaptation to progressive patterns at the inference time. The presented method was tested under different contamination levels, with best performance in the range of 20%-25% anomaly, yielding up to 96.8% accuracy, 97% precision, 97% recall, and with F1-score slightly over 95%, all with zero second detection delay. These findings demonstrate the capability of the system to detect insider threats and other behaviour-based anomalies in real time. The modular and transparent design of the framework enables it to be easily applied to various cybersecurity tasks.