ST-GCN-Based Framework for Anomalous User Behavior Detection at Enterprise Gateways: Theory, Algorithms, and Large-Scale Validation

Abstract

With the rapid development of digital infrastructure in enterprises, network entry points are facing increasingly severe security risks, thus requiring improvements in anomaly detection methods. This paper introduces a new framework for detecting anomalous user behavior at the gateway level and uses Spatio-Temporal Graph Convolutional Networks (ST-GCN) to simultaneously model the interactions between users and devices in the enterprise environment as well as temporal changes. The goal is to address the shortcomings of traditional methods in handling complex relationships and recent changes in network activities. One-time manual feature extraction and data-driven spatiotemporal graph construction are two parts of it. A multi-stage aggregation method will be developed to handle these anomalies. In order to cover all scenarios, public benchmarks and large-scale enterprise log datasets are used. T-GCN performs well in practical applications, with an average F1-score exceeding 0.91, an AUC of 0.976, and surpasses top baseline models based on GCN, LSTM, and Transformer in all categories of security events. The system has strong generalization capabilities, a low false positive rate (averaging less than 1.7%), and accurately identifies hidden and rare threats under adversarial and highly variable conditions. The ST-GCN model provides a theoretical foundation that can be used for anomaly detection and real-time monitoring of operational environments in enterprise gateway security.