METHOD FOR DETECTING ANOMALIES IN WEBSITE USER BEHAVIOR

Abstract

The object of the study is an approach to detecting anomalous user behavior in a web environment based on the analysis of web activity logs. The subject of the study comprises methods for behavioral analysis of user web sessions and their integration with deep learning algorithms for building intelligent anomaly detection systems. The paper addresses the problem of forming and analyzing a dataset constructed from proxy logs that contain information on the temporal characteristics of web sessions, activity duration, and sequences of visited domain names. Particular attention is paid to data preprocessing, including web session construction, extraction of temporal and behavioral features, development of indicators for user-specific characteristic resources, and temporal splitting of the dataset into training and test subsets to prevent information leakage. To model the dynamic nature of user behavior, a sequential data representation is employed, enabling preservation of action order within a session. Given the limited number of anomalous behavior samples and the lack of complete information about possible violation types, the suitability of a one-class anomaly detection framework is justified, in which the model is trained exclusively on data representing the normal behavior of a specific user. To address the stated problem, an LSTM autoencoder is proposed, as it is capable of modeling temporal and behavioral dependencies in web sessions and detecting deviations from the normal behavior profile through reconstruction error analysis. An approach to determining the anomaly threshold based on statistical characteristics of the reconstruction error is also proposed. The effectiveness of the method is evaluated using standard classification performance metrics, including precision, recall, and F1-score. The obtained results confirm the ability of the proposed approach to effectively distinguish the target user’s behavior from external activity without relying on prior knowledge of anomaly types. The practical significance of the study lies in the possibility of applying the proposed method to tasks of user behavioral identification, detection of unauthorized access, and enhancement of the security level of web-based information systems.