Modern user authentication systems increasingly need user and device-behavior-aware adaptive mechanisms to detect evolving threats beyond the traditional authentication framework of static credential verification. This paper proposes a hybrid multi-model framework for personalized user-level anomaly detection using a data-driven Hybrid Anomaly Score (HAS). The primary contribution lies in deriving the HAS using the joint integration of three adaptive attributes: dynamically computed per-user deviation thresholds conditioned on individual behavioral history, profile-age-aware baseline weights reflecting user cohort maturity, and criticality-scaled aggregation with the security impact of each detection methodology. The framework is evaluated on a large-scale real-world dataset and demonstrates strong detection performance, while achieving low inference latency suitable for real-time enterprise deployment. The ablation analysis of the framework confirms that dynamic weighting and personalized threshold substantially improve detection stability and convergence with an effective and deployable solution for large-scale authentication environments.
Kumar et al. (Thu,) studied this question.