Time Is of the Essence: A Comparative Study of Continuous (NCDE) and Discrete (LSTM) Time Models for User Anomaly Detection
Marko Jurišić, Igor Tomičić, Andrija BernikUser Behaviour Analytics (UBA) relies heavily on sequential data to detect anomalies such as insider threats. Traditional approaches often model user behaviour as discrete sequences of events using Recurrent Neural Networks (RNNs) like Long Short-Term Memory (LSTM) networks. These methods implicitly treat time steps as uniform, ignoring the irregular time intervals inherent in user logs. In this paper, we present the first application of Neural Controlled Differential Equations (NCDEs) to user behaviour analytics, a class of continuous-time models that naturally handle irregularly-timed event data. We compare a simple LSTM predictor against an NCDE predictor on the CERT 4.2 and 6.2 insider threat dataset. We demonstrate that standard discrete-time models (LSTMs) produce noisy loss signals on sparse data, forcing downstream classifiers to rely on fragile error spikes. In contrast, Neural CDEs generate stable, continuous error signals. NCDE roughly tripled the F1 of the discrete baseline (0.364 vs. 0.133) on the challenging CERT 6.2 dataset.