A Comparative Study of Rule-Based and Machine Learning-Based Methods for Authentication Anomaly Detection
This research presents a comparative study of rule-based and machine learning-based approaches for detecting anomalous authentication activities. Rule-based detectors are evaluated against an unsupervised anomaly detector trained on normal user behavior, using the LANL dataset expanded with realistic synthetic attacks. Thresholds used by all detectors are calibrated on an evaluation set to meet fixed false-positive budgets. Results are reported using eventlevel and burst-level metrics. The results show that rule-based approaches perform strongly on high-rate attacks, while machine learning approaches are effective for low-rate, stealthy activity.