Abstract

In this article, an approach to behavioral authentication with real‑time anomaly detection during corporate system logins is examined. The objective of this study is to design and evaluate an architecture for continuous biometric user verification based on interaction dynamics, including cursor speed and trajectory curvature, inter-keystroke time intervals, and device micro-movements, while ensuring processing latency of below 100 ms under loads of up to tens of thousands of logins per second. It justifies because of the high percentage of incidents that happen out of credential compromise and low coverage of MFA, hence a continuous effort removal of friction for legitimate users. The novelty in this solution is introduced by the streaming architecture provided by Kafka and Flink-based applications, combined with telemetry normalization techniques using z-scores and robust scaling methods, together with an ensemble hybrid model consisting of a one-class autoencoder, relative attention, Isolation Forest, and a semi-supervised SSDLog scheme. Added value is brought by a dynamic threshold calibration mechanism that takes into account daily and weekly seasonality as well as federated learning and differential privacy noise mechanisms that satisfy privacy requirements. Findings present here will show that this proposed system ensures a median analysis latency of 26 ms, where the 99th percentile does not cross 51 ms, equal‑error rate around about 1% at verification frequency of 0.7 s, reduces the number of interactive MFA challenges almost threefold for non‑critical accounts and ensures adaptation to user behavior drift through continuous self‑learning and feedback from SOC analysts. This article will be helpful to information security specialists, authentication system developers, and IT architects of large corporate infrastructures.

Keywords

  • behavioral authentication
  • stream processing
  • Kafka
  • Flink
  • autoencoder
  • anomaly
  • MFA

References

  1. 1. Confluent. (2025). Delivery Guarantees and Latency in Confluent Cloud for Apache Flink. Confluent. https://docs.confluent.io/cloud/current/flink/concepts/delivery-guarantees.html
  2. 2. Cumbane, S. P., & Gidófalvi, G. (2019). Review of Big Data and Processing Frameworks for Disaster Response Applications. ISPRS International Journal of Geo-Information, 8(9), 387. https://doi.org/10.3390/ijgi8090387
  3. 3. Finnegan, O. L., White, J. W., Armstrong, B., Adams, E. L., Burkart, S., Beets, M. W., Willis, E. A., Parker, H., Bastyr, M., Zhu, X., Zhong, Z., & Weaver, R. G. (2024). The utility of behavioral biometrics in user authentication and demographic characteristic detection: a scoping review. Systematic Reviews, 13(1). https://doi.org/10.1186/s13643-024-02451-1
  4. 4. Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y.-Y., Greene, K. K., & Theofanos, M. F. (2017). Digital Identity Guidelines: Authentication and Lifecycle Management. NIST Special Publication 800-63B. https://doi.org/10.6028/nist.sp.800-63b
  5. 5. Hu, M., Zhang, K., You, R., & Tu, B. (2022). Relative Attention-based One-Class Adversarial Autoencoder for Continuous Authentication of Smartphone Users. Arxiv. https://doi.org/10.48550/arxiv.2210.16819
  6. 6. Ismail, M. G., Salem, M. A.-M., Abd, M. A., & Abbas, S. (2024). Outlier detection for keystroke biometric user authentication. PeerJ Computer Science, 10, e2086–e2086. https://doi.org/10.7717/peerj-cs.2086
  7. 7. Landauer, M., Skopik, F., Höld, G., & Wurzenberger, M. (2022, December 1). A User and Entity Behavior Analytics Log Data Set for Anomaly Detection in Cloud Computing. IEEE Xplore. https://doi.org/10.1109/BigData55660.2022.10020672
  8. 8. Liu, S., & Zhao, Z. (2023). Privacy-Preserving Hybrid Ensemble Model for Network Anomaly Detection: Balancing Security and Data Protection. Arxiv. https://ar5iv.labs.arxiv.org/html/2502.09001
  9. 9. Lu, S., Han, N., Wang, M., Wei, X., Lin, Z., & Wang, D. (2023). SSDLog: a semi-supervised dual branch model for log anomaly detection. World Wide Web, 26(5), 3137–3153. https://doi.org/10.1007/s11280-023-01174-y
  10. 10. Microsoft. (2024a, May 13). Security at your organization - Multifactor authentication (MFA) statistics. Microsoft. https://learn.microsoft.com/en-us/partner-center/security/security-at-your-organization
  11. 11. Microsoft. (2024b, June 17). Risk policies - Microsoft Entra ID Protection. Microsoft. https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies
  12. 12. Microsoft. (2025, February 28). Plan for mandatory Microsoft Entra multifactor authentication (MFA) - Microsoft Entra ID. Microsoft. https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet
  13. 13. Monaco, J. V. (2016). Robust Keystroke Biometric Anomaly Detection. Arxiv. https://doi.org/10.48550/arxiv.1606.09075
  14. 14. Palino, T. (2015). Running Kafka At Scale. LinkedIn. https://engineering.linkedin.com/kafka/running-kafka-scale
  15. 15. Shadman, R. (2025). Keystroke Dynamics: Concepts, Techniques, and Applications. Arxiv. https://arxiv.org/html/2303.04605v3
  16. 16. Verizon. (2024). 2024 Data Breach Investigations Report. Verizon. https://www.verizon.com/business/resources/reports/2024-dbir-data-breach-investigations-report.pdf
  17. 17. Zaky, K. (2024, August 29). White Paper: Replacing Password-Only Authentication with Passkeys in the Enterprise. FIDO Alliance. https://fidoalliance.org/white-paper-replacing-password-only-authentication-with-passkeys-in-the-enterprise/