Wavelet-Aware Anomaly Detection in Multi-Channel User Logs via Deviation Modulation and Resolution-Adaptive Attention

TL;DR

This paper introduces a wavelet-aware anomaly detection framework for multi-channel user logs, combining deviation modulation, multi-resolution wavelet decomposition, and adaptive attention to improve detection accuracy in enterprise security.

Contribution

It presents a novel integration of wavelet techniques with adaptive attention mechanisms for more robust anomaly detection in complex, multi-channel logs.

Findings

Outperforms existing methods on CERT r4.2 benchmark

Achieves higher precision, recall, and F1 scores

Effective across various time granularities

Abstract

Insider threat detection is a key challenge in enterprise security, relying on user activity logs that capture rich and complex behavioral patterns. These logs are often multi-channel, non-stationary, and anomalies are rare, making anomaly detection challenging. To address these issues, we propose a novel framework that integrates wavelet-aware modulation, multi-resolution wavelet decomposition, and resolution-adaptive attention for robust anomaly detection. Our approach first applies a deviation-aware modulation scheme to suppress routine behaviors while amplifying anomalous deviations. Next, discrete wavelet transform (DWT) decomposes the log signals into multi-resolution representations, capturing both long-term trends and short-term anomalies. Finally, a learnable attention mechanism dynamically reweights the most discriminative frequency bands for detection. On the CERT r4.2 benchmark, our approach consistently outperforms existing baselines in precision, recall, and F1 score across various time granularities and scenarios.