# Anomaly detection of cybersecurity behavior using cross-sequence aligned transformer—A dynamic recognition approach for high-frequency interaction patterns

**Authors:** Songming Han, Dongmei Bin, Ying Ling, Cong Lin

PMC · DOI: 10.1371/journal.pone.0340801 · PLOS One · 2026-02-18

## TL;DR

This paper introduces a new deep learning model for detecting cybersecurity anomalies in high-frequency network interactions by aligning and analyzing multiple data streams.

## Contribution

The novel CSAT-DRM model uses cross-sequence alignment and adaptive discrimination to improve anomaly detection accuracy in dynamic network environments.

## Key findings

- CSAT-DRM achieved 0.968 accuracy and 0.955 F1-score, outperforming LSTM, CNNs, and other models.
- The model effectively detects both burst and persistent anomalies with high stability.
- Cross-sequence alignment and dynamic threshold strategies significantly enhance detection performance.

## Abstract

In high-frequency interaction network environments, network traffic features and user behavior sequences often exhibit pronounced temporal asynchrony and information redundancy, which can substantially weaken the capability of anomaly detection models to identify dynamic attack patterns. Based on this observation, this study proposes and empirically validates a core hypothesis: explicitly modeling the temporal asynchrony among multi-source sequences and performing collaborative modeling on a unified temporal scale can effectively enhance the accuracy and stability of cybersecurity anomaly detection under high-frequency interaction scenarios. To verify this hypothesis, a Cross-Sequence Aligned Transformer-driven Dynamic Recognition Model (CSAT-DRM) is developed, which falls within the category of deep learning–based multimodal time-series anomaly detection frameworks. The proposed model employs a cross-sequence alignment mechanism to softly align network traffic sequences and user behavior sequences, capturing their latent correlations without compressing inherent temporal discrepancies. Meanwhile, an interaction-sensitive residual structure is introduced into the Transformer encoding process to enhance the discriminability of anomalous features under high-frequency interactions, and a dynamic threshold generation strategy is integrated to enable adaptive anomaly discrimination. Experiments are conducted on real-world network interaction log data and evaluated through multiple baseline models and five independent repeated runs. The results show that CSAT-DRM achieves an accuracy of 0.968 ± 0.004, a precision of 0.957 ± 0.005, a recall of 0.953 ± 0.006, and an F1-score of 0.955 ± 0.005 on the test set, significantly outperforming baseline approaches including Long Short-Term Memory (LSTM), Convolutional Neural Networks (CNNs), the standard Transformer, and the hybrid Convolutional Neural Network–Bidirectional Long Short-Term Memory (CNN-BiLSTM) model. Further analysis demonstrates that the proposed model can effectively detect both burst anomalies and persistent anomalies, while maintaining high stability across different anomaly types. These findings validate the effectiveness of cross-sequence alignment and adaptive discrimination mechanisms in high-frequency interaction network anomaly detection, providing a feasible and generalizable technical pathway for real-time threat identification in complex network environments.

## Full-text entities

- **Genes:** CIC (capicua transcriptional repressor) [NCBI Gene 23152] {aka MRD45}
- **Diseases:** anomalies (MESH:D000013)
- **Chemicals:** CSAT (-)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12915943/full.md

## Figures

5 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12915943/full.md

## References

33 references — full list in the complete paper: https://tomesphere.com/paper/PMC12915943/full.md

---
Source: https://tomesphere.com/paper/PMC12915943