Abstract
Authentication mechanisms are still the standard way to allow
access to systems and devices within an organization. Through
credentials (login and password) and other associated methods
(multi-factor authentication, such as tokens, biometrics, or onetime
passwords sent to additional devices), access control is implemented,
and user activity across different necessary systems is
recorded. However, organizations are concerned that access control
may be bypassed due to the loss or theft of authentication information/
devices, potentially leading to intellectual property breaches
through industrial espionage. In this context, User and Entity Behavior
Analytics (UEBA) has been studied and applied to profile users
and identify anomalous patterns that could, for example, block a
user from accessing another account. However, achieving this level
of protection in real-world systems may be unfeasible. This article
examines the feasibility of distinguishing user behavior in organizations
based on the most frequently used applications and their
usage time. To this end, a real dataset was collected, consisting of
data from over 700 organizations and nearly 60,000 users between
March and September 2024. The results discuss the techniques used,
the possibility of detecting real intruder users, and the false alarm
rates observed in the dataset, paving the way for future research in
the field.