Performance Evaluation and Comparison of Machine Learning Algorithms for Anomalous Login Behavior Detection in Enterprise Networks

Abstract

Authentication systems in enterprise networks form security boundaries where credential-based access mechanisms intersect with adversarial intrusion vectors. This investigation characterizes machine learning architectures for detecting authentication anomalies through systematic empirical analysis of Support Vector Machines, Random Forest classifiers, and Neural Network architectures. We process 2,347,000 (≈2.35M) authentication events from operational enterprise deployments, capturing natural distributions of benign activities (78.7%) alongside brute force attempts (12.2%), credential stuffing (6.7%), and compromised account behaviors (2.4%). Random Forest classifiers achieve 94.7% detection accuracy with 3.2 millisecond inference latency, establishing Pareto-optimal performance for medium-scale deployments. Support Vector Machines minimize false positive rates to 2.1% through margin maximization in RBF kernel spaces, trading 6% detection coverage for precision. Neural Networks capture non-linear behavioral signatures in compromised account detection (93.7% accuracy) despite requiring 1156 seconds for model convergence. Temporal analysis reveals 23% false positive elevation during Monday mornings and 31% increase during holiday periods, informing adaptive threshold strategies. The empirical characterization provides quantitative bounds on the accuracy-latency-precision trade-off space, enabling algorithm selection aligned with specific operational constraints and risk tolerances.