Enterprise systems generate large volumes of authentication and access-control data every day. Within Active Directory environments, these logs can contain early signals of cyber threats such as abnormal login patterns, brute-force attempts, and privilege escalation. However, traditional rule-based monitoring often struggles to detect subtle or previously unseen behavior.

At CMKL University, M.S. in AiCE student Ravisut Sirilertpanich developed Anomaly Detection for Active Directory Logs, a machine learning framework designed to improve how enterprise security teams identify abnormal authentication behavior.

The project combines rule-based filtering with machine learning. First, Active Directory logs are collected, cleaned, and transformed into structured behavioral features. The system then applies unsupervised anomaly detection models to identify outlier behavior and uses a second-stage classifier to reduce false positives and improve alert quality.

The framework explores models such as Isolation Forest, Local Outlier Factor, One-Class SVM, and Random Forest. By combining unsupervised anomaly detection with supervised filtering, the project aims to produce alerts that are more accurate, more explainable, and more practical for security monitoring teams.

The research demonstrates how AI can extend enterprise cybersecurity beyond static rules. Instead of only looking for known attack signatures, the system learns patterns of user behavior and flags deviations that may indicate risk. This makes the approach especially relevant for organizations that need scalable monitoring across complex log environments.

For CMKL, the project reflects the university’s graduate-level focus on AI engineering for production-grade systems: building models that not only perform well in experiments, but can also fit into real operational workflows where reliability, low noise, and interpretability matter.