Enhancing the Adoption of Zero Trust in Organizations Using Machine Learning

Abstract

Cybersecurity has become a critical concern for individuals, organizations, and governments, especially with the rise of sophisticated cyberattacks and remote work environments. Traditional security approaches are no longer sufficient, leading to the adoption of advanced frameworks such as the zero-trust model, which operates on the principle “never trust, always verify.” This model enforces strict access controls and continuous monitoring across all network activities. Designing an intelligent zero-trust system is challenging due to the complexity of network environments and the evolving nature of malicious threats. This project proposes an advanced zero-trust architecture that integrates machine learning and multi-factor authentication (MFA) to strengthen security. Specifically, it employs Multilayer Perceptron models and k-Nearest Neighbors algorithms to analyze system logs and user behavior, enabling real-time anomaly detection and adaptive authentication mechanisms. The proposed framework is experimentally evaluated using the H-MOG behavioral–contextual authentication dataset, which captures multimodal user interaction patterns and supports continuous authentication analysis within Zero Trust environments. The integration of machine learning enhances the system’s ability to identify suspicious activities quickly and accurately, while MFA provides an additional layer of protection against unauthorized access. Moreover, the proposed framework emphasizes usability, ensuring that enhanced security does not impose excessive burden on users or IT teams. This allows the framework to respond more effectively to potential threats while maintaining usability. Overall, the proposed approach offers a practical and scalable solution that improves detection performance and strengthens continuous authentication and adaptive access control within Zero Trust environments.

1. Introduction

The evolution of digital technology has altered organizational landscapes and how businesses operate [1]. In recent years, the infrastructure of a typical enterprise has become increasingly complex. A single company may run multiple internal networks, remote offices with their own local infrastructure, remote and/or mobile employees, and cloud services. Because there is no single, easily identified perimeter for the enterprise, this complexity has outpaced legacy methods of perimeter-based network security. Perimeter-based network security has also been shown to be insufficient because once attackers breach the perimeter, they have unrestricted lateral movement [2]. The resources, services, systems, data, and other assets of the company are housed within the wall surfaces of the internal trusted network. Traditional security tools such as firewalls, virtual private networks (VPNs), network access control (NAC), and web application firewalls (WAF) are deployed at the network boundary to protect against external threats [1,3]. However, once a user gains access to the internal network, they are often able to access many organizational resources without further restriction [4]. This trust-based approach to IT security worked well until recently. Because of the rapid spread of the COVID-19 pandemic, many businesses were forced to curtail their security efforts [5]. This shift from high-security offices to home-based environments significantly expanded the attack surface available to cybercriminals [6]. The reliance on unsecured home networks enabled employees to access corporate systems remotely, thereby increasing exposure to external threats and creating new vulnerabilities [7].

As a result of rapid digital transformation and the growing misuse of implicit trust mechanisms, organizations began recognizing the urgency of adopting a Zero Trust (ZT) strategy. According to the National Institute of Standards and Technology (NIST), Zero Trust is a security framework based on continuous verification rather than implicit trust. It aims to protect data, systems, and services by enforcing strict access control.

This model applies to all organizational entities, including users, devices, applications, and cloud or virtual environments, regardless of their location [2]. The conceptual foundation of the Zero Trust model, illustrated in Figure 1, emphasizes the elimination of implicit trust and enforces continuous verification of users, devices, and services regardless of their network location.

Following this paradigm shift, security vendors began promoting Zero Trust-compliant solutions, and the approach evolved from being an alternative security model to becoming a strategic priority in modern IT infrastructures [3]. Zero Trust eliminates implicit trust relationships and introduces micro-perimeters enforced through authentication, access management, encryption, and continuous monitoring mechanisms [3,4,9]. Adoption rates have increased dramatically, with implementation initiatives reaching 97% in 2022 compared to only 16% in 2019 [10]. This rapid adoption is also reflected in market growth projections. The global Zero Trust security market, shown in Figure 2, was valued at $24,942.6 million in 2021 and is projected to grow at a compound annual growth rate (CAGR) of 14.7%, reaching $87,162.8 million by 2030 (Dive, 2022) [11].

To address emerging threats such as denial-of-service (DoS) attacks, route hijacking, insider threats, stolen credentials, and non-person entities (NPEs), Zero Trust Architecture (ZTA) introduces strict identity verification and continuous validation mechanisms [2]. Consequently, Zero Trust has become an essential prerequisite for modern IT security frameworks [1,4,12]. By enforcing granular authentication and access controls, Zero Trust strengthens both user and device identities and significantly limits lateral movement within enterprise infrastructures [1]. Industry perception further reinforces its importance. As illustrated in Figure 3, a microsoft survey conducted in July 2021 revealed that 96% of security decision-makers consider Zero Trust critical to maintaining an effective security posture [13]. Despite this strong endorsement, actual implementation maturity remains limited across many organizations.

Despite the growing recognition of Zero Trust as a strategic cybersecurity imperative, practical adoption across organizations remains limited. Although Zero Trust is widely acknowledged as a more secure and resilient alternative to traditional perimeter-based security models, many enterprises continue to rely on legacy approaches [14]. Research indicates that Zero Trust has struggled to effectively compete with entrenched perimeter-based security architectures [1], and the concept has not yet fully persuaded corporate decision-makers [4].

One of the primary barriers to adoption lies in the complexity of organizational transformation [12]. Implementing Zero Trust requires significant changes to infrastructure, access policies, and security culture. Such transitions are often influenced by technological constraints, political considerations, and organizational resistance to change. Moreover, extensive modifications to existing security infrastructures may temporarily increase cybersecurity risks, including unauthorized access during migration phases [1]. The transformation process can also be time-consuming and costly, while the tangible return on investment remains difficult to predict for many organizations.

Another critical yet underexplored dimension of Zero Trust adoption concerns the human and organizational factors involved. Users play a central role in the successful implementation of new security architectures, including Zero Trust [1]. However, existing research primarily focuses on technical components such as infrastructure design, identity management, and network segmentation [1,2]. There remains a noticeable gap in understanding Zero Trust adoption from an organizational and end-user perspective. Furthermore, the limited number of fully realized enterprise-scale Zero Trust implementations contributes to the scarcity of empirical academic research in this domain [2].

To address these challenges, this study proposes an intelligent framework that integrates machine learning (ML) techniques within a Zero Trust architecture to enhance adoption feasibility and operational effectiveness. The core premise is that adaptive, data-driven security mechanisms can reduce the friction associated with Zero Trust deployment while simultaneously strengthening threat mitigation capabilities. Specifically, this research aims to achieve the following objectives:

• Improve understanding of how critical system interfaces and components can be prioritized to balance security, mission performance, and resource constraints.
• Identify preventive measures and control mechanisms using machine learning methodologies capable of simultaneously protecting multiple critical system components.
• Design and implement an ML-based model to reduce security risks in systems supporting user interactions, thereby enhancing the practical adoption of Zero Trust architectures.

The primary contribution of this work lies in the development of a machine learning-driven Zero Trust enhancement model that mitigates security threats while facilitating smoother organizational transition. The proposed approach integrates multi-factor authentication and intelligent anomaly detection mechanisms to analyze attack surfaces and dynamically adjust access control decisions. By combining Zero Trust principles with ML-based adaptive security analytics, the framework aims to reduce vulnerabilities without imposing excessive operational burden on organizations. The remainder of this paper is structured as follows.

2. Literature Review

Due to the limitations of traditional network security approaches, the zero-trust model assumes that no network, whether internal or external, should be inherently trusted. It has gained increasing attention in both academic research and industry because of its ability to address modern security challenges. However, despite its advantages, zero trust has not fully replaced conventional methods. Uncertainty regarding its benefits, limitations, and implementation challenges continues to slow its widespread adoption. Within this evolving landscape, several studies have explored Zero Trust from different perspectives. Papakonstantinou et al. proposed a methodology illustrated through a simulated case study involving a spent fuel pool cooling system. The results indicated that integrating security with safety considerations can increase the risk of failure of a critical system component compared to evaluating safety alone [15]. However, the study mainly focused on generating a combined security–safety fault and attack tree structure based on system dependencies, while the quantitative assessment of overall risk was not addressed within its scope. They use the Systems Analysis Programs for Hands-on Integrated Reliability Evaluations (SAPHIRE) software performs probabilistic risk assessment (PRA) calculations. This direction aligns with newer resilience-by-design discussions that combine model-based risk reasoning with containment primitives (e.g., micro-segmentation) and stronger data-protection mechanisms for hybrid and mission systems [16]. Extending Zero Trust beyond infrastructure-level controls, Alzubi et al. [17] examine the integration of Zero Trust principles within Business Intelligence (BI) architectures. Their work proposes a predictive security model where AI-driven analytics continuously evaluate user behavior, access patterns, and data sensitivity within BI ecosystems. Unlike traditional perimeter-based BI protection, the framework enforces adaptive authentication, dynamic authorization, and contextual trust scoring across analytical pipelines. The study highlights how predictive models can anticipate anomalous data access behavior, enabling proactive mitigation before data exfiltration or insider misuse occurs. This perspective broadens Zero Trust from network-level enforcement to data-centric predictive governance within enterprise decision-support systems.

Building on their earlier work, the authors later presented an extended study using a case study of a spent fuel pool cooling system in a nuclear reactor to further validate the methodology. The findings showed that incorporating both security and safety considerations can significantly increase the risk of failure of a critical component compared to evaluating safety alone [18]. This work builds upon their previous research presented at CIE 2020 [15], and adopts a Zero Trust perspective, where all users, devices, and processes are treated as potential security risks.

Moreover, the study advances prior efforts by estimating security-related probabilities, quantifying the combined impact of safety and security risks, and formalizing a model-based framework. This contribution enhances the overall risk assessment process and aligns it more closely with established safety analysis methods such as probabilistic risk assessment (PRA). They use The Unified Modeling Language (UML) and SAPHIRE. While these works focus on risk modeling and safety–security integration, other studies emphasize dynamic access control and trust evaluation mechanisms within Zero Trust environments. Yao et al. [19] introduced a zero-trust security model based on a dynamic access control and authorization system. The authors created a trust-based access control system that calculates the user’s behavior trust score and grants authorization if it exceeds the minimum trust score required to access the resource. The behavioral trust score was influenced by login, network, and operational behavior patterns. However, the proposed technique has difficulty analyzing high traffic rates. More recent literature generalizes this idea into risk-adaptive access control, where attribute-based policies are continuously re-evaluated using per-request risk scores (device posture, session telemetry, and behavioral signals) and then translated into fine-grained least-privilege enforcement via orchestration layers [20]. Complementing dynamic access control research, recent work on predictive analytics for Zero Trust networks [21] advances risk evaluation from reactive assessment to forward-looking inference. The study introduces machine learning-based risk forecasting models that analyze historical telemetry, behavioral deviations, device posture, and contextual signals to predict potential compromise likelihood before policy violations occur. Rather than computing static trust scores, the proposed approach emphasizes time-series risk modeling and probabilistic threat anticipation. This predictive capability enables policy engines to adjust enforcement thresholds dynamically, reinforcing the transition from periodic risk audits to continuous, model-informed trust recalibration.

Similarly, Mahbooba et al. [22] proposed an Explainable AI (XAI) model to improve trust management in an Intrusion Detection System (IDS) model. Explainable Artificial Intelligence (XAI) is an emerging area that aims to make machine learning models more transparent by providing understandable explanations of their decisions. Many advanced models, especially deep learning approaches, are often considered “black boxes” because their internal processes are difficult to interpret. However, not all machine learning models share this complexity, as some methods are inherently more interpretable and easier to understand; for example, linear/logistic regression and decision trees are transparent models [23]. Using a set of features, the authors demonstrated how to distinguish malicious network data from legitimate network data. Understanding the decision logic of cybersecurity domain professionals and network security administrators improves trustworthiness by acting in the event of adversarial traffic authentication. In terms of precision, recall, accuracy, and F-1 scores, the decision tree approach outperformed other cutting-edge algorithms. The decision tree was simpler to understand and less computationally expensive than other cutting-edge methods. When the algorithm encounters noise in the dataset Knowledge Discovery in Databases (KDD), however, there is a risk of overfitting [22]. Expanding Zero Trust to domain-specific applications, Chen et al. introduced a secure awareness and protection framework tailored for 5G-enabled intelligent healthcare systems. The approach evaluates trust using behavior-based anomaly detection by combining multiple factors such as user identity, device characteristics, system activity, and behavioral patterns [24]. The framework applies a hierarchical trust-based access control mechanism, where access to resources is granted only when the calculated trust level exceeds a defined threshold. Nevertheless, the approach may face challenges in processing and analyzing network traffic efficiently due to the high data rates and low latency requirements of 5G environments.

From a systems engineering viewpoint, Hale et al. introduced a methodology grounded in established security concepts such as Zero Trust and defense-in-depth to enhance the prevention and mitigation of security threats, including those related to machine learning components. The approach was validated through a case study involving an Unmanned Aerial Vehicle (UAV) equipped with an advanced Intelligence, Surveillance, and Reconnaissance (ISR) system [25].

In a similar context, another study proposed a framework to assess and improve the resilience of mission-critical systems that incorporate both AI components and human interactions [26]. This approach applies Zero Trust and defense-in-depth principles to safeguard critical system elements by analyzing their interactions and dependencies across different lifecycle stages and configurations. However, it does not address the evaluation of prior influences on critical components, which remains an important yet complex task that could be enhanced through model-driven engineering techniques. Complementary resilience discussions increasingly advocate integrating containment (micro-segmentation) with stronger data-in-use protection (e.g., confidential computing primitives) and automated response orchestration to reduce dwell time and improve recovery trajectories in critical missions and national infrastructure contexts [27]. Further study operationalize Zero Trust by proposing enhanced enforcement mechanisms that combine adaptive identity validation, segmented trust domains, and automated policy orchestration within heterogeneous network environments [28]. The study emphasizes practical deployment considerations, including interoperability across hybrid infrastructures, scalable policy engines, and integration with software-defined networking (SDN) controllers. By aligning architectural Zero Trust principles with enforceable runtime controls, this work strengthens the bridge between conceptual ZTA models and deployable enterprise-grade security systems. From a mission engineering perspective, Van Bossuyt et al. examined a complex, reconfigurable system-of-systems (SoS) that includes wind farm operations, autonomous uncrewed patrol units, crewed maintenance vessels, backend control systems, and machine learning components. The system is situated within a national exclusive economic zone but operates in proximity to potential regional adversaries [29]. The study also explores the impact of adversarial actions on such systems, focusing on how threats can propagate across interconnected components. Using a combination of Zero Trust and defense-in-depth strategies, the case study evaluates scenarios where an adversary introduces a latent fault during one mission that only becomes apparent in a later operation.

In the context of next-generation networks, Ramezanpour and Jagannath present key Zero Trust principles that include continuous monitoring of network assets, dynamic evaluation of access risks, and adaptive authorization decisions based on trust levels. Their approach introduces Monitoring, Evaluation, and Decision-making (MED) components to support real-time security assessment [30]. The proposed architecture follows a service-based design aligned with 3GPP standards to facilitate integration. It also considers emerging 5G developments by combining open radio access network (O-RAN) frameworks with real-time data processing engines to support machine learning-driven security mechanisms. This work highlights future research directions toward intelligent Zero Trust architectures (i-ZTA) for 5G and beyond.

Complementing these architectural developments, Ishide et al. propose a machine learning-based approach for detecting unauthorized access within hybrid environments. Their method demonstrates high accuracy in identifying abnormal behavior and provides insights into effective log collection and feature selection for anomaly detection [31]. Emerging domains such as the Metaverse are also being explored. Cheng et al. introduce a framework focused on continuous authentication for virtual reality users, incorporating biometric techniques, federated learning for privacy preservation, multimodal data integration, and adaptive authentication mechanisms [32]. While the approach aims to enhance security and usability in virtual environments, initial findings indicate that traditional federated learning methods may not yet be suitable for biometric authentication in VR settings due to low accuracy.

Finally, Xu et al. examine vulnerabilities in Zero Trust authentication architectures and propose the Mimic Authentication Strategy System (MAS) to address them. Their approach leverages dynamic heterogeneous redundancy to strengthen system resilience and employs Single Packet Authorization (SPA) to defend against denial-of-service attacks [33].

Overall, the surveyed literature demonstrates that Zero Trust has been intensively investigated across several facets such as risk modeling, adaptive access control, explainable AI, and domain-specific applications like 5G networks, UAV systems, and mission-critical infrastructures. Current research has shown significant success in integrating security principles with machine learning approaches for enhancing detection, trust evaluation, and system resilience. However, the existing approaches are still fragmented, which usually address the topics of feature selection, model optimization or access control independently. Also, the systematic integration of adaptive feature engineering and automated hyperparameter optimization into a unified Zero Trust framework is yet to be found.

Table 1. Comparative Analysis of Existing Zero Trust and Machine Learning Studies.

Study	Zero Trust Component	Dataset / Domain	ML Method	Main Strength	Limitation	Difference from Proposed Work
Yao et al. [19]	Dynamic Access Control	User behavioral access patterns	Trust-based scoring	Adaptive authorization decisions	Difficulty handling high traffic rates	Our work integrates behavioral anomaly detection with continuous authentication
Mahbooba et al. [22]	Intrusion Detection and Trust Management	KDD Network Dataset	Explainable AI / Decision Tree	High interpretability and detection performance	Risk of overfitting in noisy datasets	Proposed framework combines adaptive authentication with Zero Trust access control
Chen et al. [24]	Healthcare Zero Trust Security	5G-enabled healthcare systems	Behavior-based anomaly detection	Multi-factor trust evaluation	Scalability challenges in high-speed 5G environments	Our work focuses on behavioral–contextual authentication using H-MOG
Ramezanpour and Jagannath [30]	Continuous Monitoring and Adaptive Authorization	5G and O-RAN environments	ML-driven security evaluation	Real-time security assessment	Limited behavioral authentication validation	Proposed framework validates adaptive authentication experimentally
Cheng et al. [32]	Continuous Authentication in VR	Virtual Reality biometric environment	Federated Learning	Privacy-preserving authentication	Low biometric accuracy in VR	Our framework integrates MFA with behavioral anomaly detection
Proposed Work	Continuous Authentication and Adaptive Access Control	H-MOG Behavioral–Contextual Dataset	MLP + KNN + Clustering	Adaptive continuous authentication with behavioral anomaly detection and MFA integration	Requires future enterprise-scale deployment validation	Unified Zero Trust framework combining behavioral analysis, adaptive authentication, and optimized ML models

summarizes and compares existing Zero Trust and machine learning-based security studies based on the components addressed, application domains, machine learning methods, strengths, limitations, and differences from the proposed framework. Comparison results show that existing methods generally treat independent aspects of access control, anomaly detection or trust evaluation separately. This leads to the need for a more holistic and intelligent framework that fuses behavioral analysis, adaptive authentication, dynamic feature selection and optimized learning models for real-time security decision-making. To fill these gaps, the paper introduces the intelligent Zero Trust Architecture (i-ZTA), a unified and adaptive solution for enhanced threat detection and access control in dynamic cybersecurity environments.

3. Methods and Materials

This section presents the proposed machine learning-based framework designed to enhance Zero Trust authentication through adaptive and risk-based access control as shown in Figure 4. The methodology follows a structured pipeline that includes data collection and preprocessing, feature selection, model training and evaluation, hyperparameter optimization, and deployment for real-time access decisions.

In alignment with Zero Trust principles, the framework supports continuous verification by integrating anomaly detection and behavioral monitoring mechanisms. The machine learning models are periodically updated to adapt to emerging threats, enabling dynamic authentication decisions and automated responses to suspicious activities. The detailed steps of this process are described in the following subsections.

3.1. Data Collection and Preprocessing

A comprehensive dataset representing diverse user behaviors is collected, including login patterns, device usage characteristics, geolocation information, application access history, and contextual attributes such as operating system and device identifiers. The dataset used in this analysis [34] is derived from a behavioral–contextual authentication dataset (H-MOG), which captures multimodal user interaction patterns including typing dynamics, motion signals, and contextual usage attributes. In the implementation, the dataset is retrieved from an external URL and loaded from a CSV file into a Pandas DataFrame, reflecting a structured tabular format suitable for analytics. Prior to model development, numeric attributes are normalized using Scikit-learn scaling functions (StandardScaler) to ensure comparable feature ranges, which is essential for distance-based clustering methods. Building upon this behavioral analysis stage, clustering methods such as K-Means and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) were further utilized to group similar user activities and uncover deviations from established behavioral norms. This enables the framework to better distinguish legitimate user behavior from suspicious activities, thereby strengthening continuous authentication and adaptive access control mechanisms within the Zero Trust environment.

To support behavioral pattern extraction at this stage, clustering techniques such as K-means and Density-Based Spatial Clustering of Applications with Noise (DBSCAN) are applied to group similar user activities and reveal deviations from established behavioral norms. In parallel, for geolocation and contextual access modeling, advanced density-based approaches, including Hierarchical Density-Based Spatial Clustering of Applications with Noise (HDBSCAN) and Ordering Points to Identify the Clustering Structure (OPTICS), are used to characterize spatial behavior and detect anomalous login attempts. In particular, DBSCAN is configured using parameters such as eps and min_samples (eps = 0.5 and min_samples = 5), whereas OPTICS derives cluster structures without requiring an eps value, and HDBSCAN supports variable–density clusters using a minimum cluster size constraint of 10.

In addition, data acquisition requires a secure backend infrastructure composed of authentication APIs, encrypted user databases, and mechanisms for collecting location information through Global Positioning System (GPS) signals or Internet Protocol (IP) address tracking. Python-based backend frameworks (Django 6.0.1) facilitate scalable integration of data capture and storage within authentication services. Accordingly, ethical and confidentiality requirements are incorporated during data handling. Sensitive attributes (passwords, OTP values, and personally identifiable information) must be anonymized or excluded, and data must be stored securely with appropriate access controls. Moreover, any publicly available dataset must be used under appropriate consent and licensing conditions and in compliance with applicable data protection regulations (GDPR or relevant regional policies).

Following data acquisition, preprocessing is conducted using Python 3.13.1 libraries, particularly Scikit-learn. This phase includes data cleaning, normalization, feature encoding, dimensional transformation, and outlier filtering to convert raw behavioral logs into structured representations suitable for machine learning algorithms. Specifically, categorical fields are transformed into numeric values using encoders (LabelEncoder), and continuous features are scaled (using MinMaxScaler into the range [0,1]) to avoid scale dominance across features. As a result, the preprocessed dataset is stored for reproducible model training.

3.2. Feature Selection and Authentication Dataset Construction

After preprocessing, feature selection is performed to enhance model interpretability, reduce computational overhead, and prevent overfitting in multifactor authentication (MFA) systems. Recursive Feature Elimination with cross-validation (RFE-CV) is employed due to its iterative elimination of less informative attributes while validating performance across folds. This process ensures robust generalization and effective handling of both linear and nonlinear relationships among authentication variables [35]. In the implementation, RFE is applied using an SVR estimator with a linear kernel, selecting a fixed number of top five features while ranking the remaining features by relative importance.

In parallel, the authentication dataset is constructed by integrating behavioral analytics and contextual device information. Typical features include login frequency, temporal access patterns, IP address consistency, device fingerprinting attributes, OTP usage patterns, and location stability metrics. Publicly available behavioral datasets, such as the H-MOG dataset, provide examples of multimodal behavioral inputs including typing dynamics, motion signals, and interaction traces. Consequently, such Behavioral–Contextual Authentication Datasets strengthen identity verification by modeling continuous user behavior rather than relying solely on static credentials.

Subsequently, the preprocessed dataset is partitioned into training and testing subsets using an 80:20 split, supporting reproducible experimentation (fixed random_state=42). Where required for classification, the target variable can be binned to improve interpretability and stabilize model learning.

3.3. Model Training, Selection, and Evaluation

Once the feature set is finalized, the selected features are used to train supervised models for authentication decision-making. Supervised learning techniques commonly adopted for Zero Trust authentication include Support Vector Machines (SVM), Logistic Regression, and Multilayer Perceptron (MLP) networks. Among these, SVM and MLP have demonstrated high accuracy and strong performance in multifactor authentication contexts [36]. Accordingly, SVM and MLP classifiers are instantiated and trained on the same preprocessed dataset to support direct comparative evaluation. Enabling probability estimation in SVM (SVC(probability=True)) further allows probabilistic scoring and ROC-based evaluation.

To verify reliability under Zero Trust constraints, model performance is evaluated using classification metrics appropriate for authentication decisions. Since authentication inherently involves false acceptance and false rejection risks [37], evaluation includes weighted F1-score, Accuracy, and Area Under the ROC Curve (AUC-ROC). The AUC-ROC calculation is adapted to binary and multi-class settings (one-vs-rest with weighted averaging) to ensure consistent scoring across label structures.

3.4. Hyperparameter Optimization

Although baseline models may achieve acceptable performance, hyperparameter tuning is conducted to further enhance predictive accuracy. Bayesian Optimization is employed due to its probabilistic modeling of the hyperparameter search space. This method efficiently balances exploration of new parameter configurations and exploitation of high-performing regions, thereby reducing computational cost while improving accuracy [38]. In the implementation, objective functions for SVM and MLP are defined using 5-fold cross-validation to maximize mean accuracy. The optimization process begins with random exploration (init_points = 5), followed by iterative refinement (n_iter = 10), and the resulting best parameters are used to re-instantiate optimized models for subsequent deployment.

3.5. Deployment for Real-Time Decisions

After optimization, the trained authentication model is deployed within the Zero Trust Architecture to support real-time access decisions. Incoming requests are scored using behavioral and contextual features, enabling risk-based authentication outcomes. Requests that meet the acceptance threshold are approved; conversely, high-risk requests are rejected and logged with contextual evidence for administrative review. In this manner, the deployment supports adaptive access control policies and auditable enforcement aligned with Zero Trust requirements.

3.6. Anomaly Detection, Behavioral Monitoring, and Model Updates

Beyond primary authentication, continuous behavioral monitoring is integrated to detect deviations not captured during initial verification. In the implementation, anomaly detection pipelines ingest additional datasets and apply multiple unsupervised or semi-supervised approaches, including K-means, DBSCAN, and k-Nearest Neighbors (KNN), to identify unusual access patterns. Initially, K-means is applied to group behavior patterns, with clustering quality assessed using silhouette scores. To improve stability, Bayesian Optimization can be used to identify an optimal number of clusters by maximizing silhouette score across candidate values, thereby improving cluster separability.

For time-series anomaly detection, DBSCAN is applied after preprocessing (timestamp parsing, scaling, and temporally ordered train/test split). Next, a suitable eps value is estimated using nearest-neighbor distance distributions, and anomalies are detected as noise points (label -1) in DBSCAN outputs. Bayesian Optimization is then employed to tune eps and min_samples, maximizing F1-score against available ground truth labels and reporting accuracy and AUC-ROC for comprehensive assessment.

In addition, KNN-based anomaly detection is implemented by computing distances to the k nearest neighbors and flagging anomalies using a statistical threshold (the 95th percentile of training distances). Model performance is reported using Accuracy, F1-score, and AUC-ROC, and Bayesian Optimization is used to tune parameters such as n_neighbors and weighting schemes to improve detection performance. Collectively, these approaches complement clustering-based anomaly detection methods such as DBSCAN, which remain relevant for identifying abnormal user activity patterns that fall outside established behavioral clusters [39].

Finally, detected anomalies trigger adaptive responses that operationalize continuous verification. These include step-up authentication, temporary access restriction, automated blocking of suspicious IP addresses, and real-time alerting to security teams for investigation. Moreover, model retraining and periodic updates are performed as new behavioral data are collected, ensuring continued adaptation to evolving user patterns and emerging attack strategies, and maintaining alignment with Zero Trust principles of continuous verification and dynamic risk assessment.

Anomalies do not necessarily indicate malicious activity: The experiments are mainly to see how the proposed Zero Trust framework performs in practice. MLP and KNN are tested on the same dataset, so the comparison is fair. The results are measured using Accuracy, F1-score, and AUC-ROC to get an idea of how well the system separates normal and abnormal behavior. Cross-validation and tuning are also used to avoid overfitting and make the results more stable. It is important to clarify that the H-MOG dataset provides behavioral–contextual authentication data rather than explicitly labeled malicious attacks. Therefore, the ground truth in this study is defined based on available authentication states and behavioral patterns included in the dataset, rather than confirmed adversarial activities. As a result, anomalies detected using clustering and distance-based methods (e.g., DBSCAN, OPTICS, and KNN) should be interpreted as behavioral deviations from normal user activity rather than definitive security threats. These deviations may include both benign novel behavior and potentially suspicious patterns. To mitigate this ambiguity, anomaly detection in this work is combined with multi-factor authentication and contextual validation within the proposed Zero Trust framework. This ensures that flagged anomalies are not directly treated as attacks but are further evaluated through additional authentication and policy-based checks before security decisions are enforced.

4. Results and Discussions

The experimental work was conducted through a structured sequence of stages, and the resulting models were assessed using Accuracy, AUC-ROC, and F1-score, in accordance with authentication decision-making requirements.

4.1. Data Collection and Preprocessing Results

To examine behavioral structure in the collected dataset, three clustering algorithms were implemented and compared: DBSCAN, OPTICS, and HDBSCAN. Prior to clustering, the dataset was normalized using StandardScaler to ensure comparability across features and to support distance-based clustering. The resulting output (

Table 2. Preprocessing results of DBSCAN, OPTICS, and HDBSCAN.

	DBSCAN	OPTICS	HDBSCAN
0	0	$-1$	28
1	0	$-1$	28
2	0	$-1$	28
3	0	$-1$	28
4	0	1	28

) reports the cluster labels assigned to each record by the three algorithms. Each row corresponds to a unique data instance (e.g., a login attempt), while each column contains the label produced by a specific clustering method. The label values can be interpreted as follows:

• Positive integers: represent membership in a discovered cluster, indicating that the record shares similarity with other points in that cluster. In the presented results, OPTICS and HDBSCAN assigned multiple points to a consistent cluster label (28), suggesting agreement in cluster formation for portions of the dataset.
• −1: represents noise or outliers, as commonly used in density-based clustering. In particular, DBSCAN labeled some points as −1, indicating they did not satisfy density requirements and therefore may reflect abnormal or rare behavioral patterns.
• 0: represents a valid cluster label produced by DBSCAN, grouping a subset of records considered similar under the chosen parameters.

The clustering results confirm that density-based methods can identify both structured behavioral groups and potential anomalies in authentication-related data, supporting the role of clustering as an early-stage behavioral profiling component.

4.2. Feature Selection Results

Feature selection was performed to reduce redundancy, mitigate overfitting risks, and strengthen generalization. Recursive Feature Elimination (RFE) with a linear Support Vector Classifier (SVC) estimator was applied to the scaled feature set. The process iteratively ranks features based on their contribution to the estimator’s decision boundary and retains the top features according to the specified selection size. The output shown in Figure 5 includes (i) a Boolean mask indicating the selected features and (ii) a ranking vector where rank 1 corresponds to selected features and higher ranks indicate lower relevance. Using this approach, five key features were selected as the most informative predictors for the subsequent classification stage. Although an intermediate output indicated an accuracy value of 0.0 in one run, this outcome is typically associated with data or implementation issues (target formatting, label imbalance, improper binning, or a mismatch between estimator type and target definition). Therefore, the final selection results were validated by confirming correct scaling, label consistency, and successful feature ranking extraction.

4.3. Model Evaluation Results

Following feature selection, two supervised models were trained and evaluated: Support Vector Machine (SVM) and Multilayer Perceptron (MLP). Performance was assessed using weighted F1-score, weighted AUC-ROC, and accuracy to account for class distribution effects and to reflect authentication decision risks.

The SVM model achieved an F1-score of 0.9756, an AUC-ROC of 0.9973, and an accuracy of 0.9756. The MLP model achieved a slightly higher F1-score of 0.9772, a higher AUC-ROC of 0.9981, and an accuracy of 0.9772 (

Table 3. Comparison of evaluation metrics between MLP and SVM.

Metric	MLP	SVM
F1-score	0.977	0.975
AUC-ROC	0.998	0.997
Accuracy	0.977	0.975

). The comparison indicates that MLP consistently outperformed SVM across all reported metrics.

4.4. Hyperparameter Optimization Results

Bayesian Optimization was applied to improve model performance by tuning hyperparameters for both SVM and MLP. Optimization functions were defined using 5-fold cross-validation to maximize mean accuracy, and best-performing hyperparameters were extracted and used to re-instantiate optimized models. The optimized results show that both models improved; however, MLP remained superior. After tuning, MLP achieved F1-score = 0.978, AUC-ROC = 0.997, and Accuracy = 0.978, whereas optimized SVM achieved F1-score = 0.971, AUC-ROC = 0.995, and Accuracy = 0.971 (

Table 4. Comparison of optimized MLP and SVM.

Metric	MLP Optimized	SVM Optimized
F1-score	0.978	0.971
AUC-ROC	0.997	0.995
Accuracy	0.978	0.971

). These results indicate that Bayesian Optimization enhanced performance while preserving the relative ranking of the models.

4.5. Anomaly Detection Results

To support continuous verification in Zero Trust, anomaly detection experiments were conducted using K-means, DBSCAN, and KNN approaches.

4.5.1. K-Means Results

For K-means clustering, non-numerical fields were removed and numerical features were standardized. The model was trained using a predefined number of 5 clusters. Since K-means is an unsupervised method, clustering quality was evaluated using silhouette score rather than classification metrics. The obtained silhouette scores were 0.70 (train) and 0.82 (test), indicating well-separated cluster structures. The cluster visualization is presented in Figure 6.

4.5.2. DBSCAN Results

DBSCAN performance showed high overall clustering accuracy; however, the reported AUC-ROC value of 0.0 indicates failure in separating anomalies (noise points) from normal data under the evaluation configuration. This suggests that the anomaly labeling strategy, thresholding, or class distribution may require adjustment. The cluster visualizations for train and test sets are shown in Figure 7.

4.5.3. KNN Results

KNN detected anomalies based on distance to nearest neighbors and thresholding. Although the model achieved very high accuracy (0.999) and F1-score (0.998), the AUC-ROC value of 0.5 indicates weak separability across thresholds, often associated with severe class imbalance or probability calibration issues. The comparative evaluation against DBSCAN is summarized in

Table 5. DBSCAN and KNN evaluation results.

Metric	KNN	DBSCAN
F1-score	0.998	0.983
AUC-ROC	0.50	0.00
Accuracy	0.999	0.967

.

4.5.4. Optimized Anomaly Detection Results

Bayesian Optimization was used to tune hyperparameters for K-means (optimal number of clusters), DBSCAN (eps and min_samples), and KNN (n_neighbors and weighting). Optimized K-means achieved silhouette scores of 0.75 (train) and 0.96 (test), indicating stronger cluster separability, similarly to the optimized DBSCAN achieved Accuracy = 0.978, F1-score = 0.985, and AUC-ROC = 0.921, reflecting significant improvement in anomaly separability after tuning as shown in

Table 6. Performance comparison between optimized KNN and optimized DBSCAN.

Performance Indicator	KNN Optimized	DBSCAN Optimized
F1-score	0.997	0.978
AUC-ROC	0.500	0.921
Accuracy	0.996	0.985

. By contrast, optimized KNN did not improve AUC-ROC beyond 0.5, suggesting that the limitation is likely data-driven (e.g., imbalance) rather than hyperparameter-driven.

Overall, the results show that the proposed Zero Trust framework works well in both supervised and unsupervised settings. The supervised models (MLP and SVM) give strong and consistent results for authentication tasks, while the unsupervised methods help in understanding user behavior patterns and detecting anomalies. It is also worth noting that differences in evaluation metrics across models are expected because each type of method works differently. Supervised models use true labels for evaluation, while unsupervised methods rely on clustering or distance patterns, which can affect values like AUC-ROC. For this reason, clustering measures such as silhouette score are also used to better understand performance. Overall, the results support that combining machine learning with Zero Trust principles can improve both authentication accuracy and anomaly detection in real-world environments.

4.5.5. Case Study: Real-World Deployment Scenario

To show how the proposed framework could work in real life, we look at a normal enterprise setting where users access different services like internal systems, cloud applications, and databases from both remote and on-site locations. In this setup, the system continuously receives login attempts and basic user information such as login time, device details, IP address, and usage patterns from system logs. This information is then checked in real time to understand whether the user behavior looks normal or not. If everything looks normal, the user is allowed access as usual. If something seems unusual, the system reacts by asking for extra verification, limiting access for a short time, or notifying the administrator. This example shows how the system can actually be used in an organization to monitor users, detect risks early, and adjust access decisions based on Zero Trust principles.To further explore the dynamic nature of the suggested Zero Trust framework, a simulated adaptive response scenario is examined to show the evolution of trust scores in reaction to an anomalous behavior.

In this case, any sudden divergence in the user behavioral patterns (e.g., unusual login time, device change or aberrant access location) will result in a measurable fall in the trust score estimated by the system. If the trust score is less than a predetermined threshold, the authentication mechanism automatically increases the security level and triggers a step-up authentication such as multi-factor authentication (MFA) or temporarily restricts access. The system continues to monitor the subsequent user behavior and checks the normality of the activity. As such the trust score improves progressively and the access restrictions are loosened accordingly. This illustrates the ongoing verification loop in which authentication decisions are adaptively made based on real-time risk assessment, rather than fixed criteria. In this study we do not have a complete production scale deployment but the behavior simulated verifies the possibility of adaptive response mechanisms in the proposed architecture. It points to its consistency with Zero Trust concepts of constant monitoring and risk-based access management.

The experimental results are mostly indicative of a good predictive performance in terms of Accuracy, F1-score and AUC-ROC. System-level issues affecting real-world adoption in organizational environments should also be taken into account. Operationally, the proposed approach aims to minimize computing overhead by lowering the feature dimension using Recursive Feature Elimination (RFE) and improving the model parameters using Bayesian Optimization. This means faster model inference, which is essential for real-time authentication applications. Furthermore, the use of adaptive authentication systems reduces unwanted multi-factor authentication (MFA) prompts by employing risk-based decision logic instead of fixed authentication criteria. This lowers user friction and enhances the overall user experience. Direct measurements of system latency and MFA trigger frequency, although not explicitly evaluated in this study, suggest that the selected lightweight models (SVM and MLP with optimized parameters) are suitable for deployment in near real time in Zero Trust environments. Future work will involve a more extensive empirical evaluation of delay, computing cost and user interaction overhead to further demonstrate the possibility of organizational adoption.

5. Conclusions and Future Work

This research proposed and implemented a machine learning-based framework to enhance Zero Trust adoption through adaptive authentication and multifactor security mechanisms. The developed pipeline integrated behavioral profiling, feature selection, supervised classification, hyperparameter optimization, and anomaly detection within a unified Zero Trust architecture.

The experimental results demonstrate that the proposed approach achieves strong authentication performance. In particular, the optimized Multilayer Perceptron (MLP) classifier achieved an accuracy of approximately 98%, along with high F1-score and AUC-ROC values, indicating robust classification capability and reliable class separability. Support Vector Machine (SVM) also produced competitive results; however, MLP consistently outperformed SVM across evaluation metrics.

In addition, clustering algorithms such as DBSCAN, OPTICS, and HDBSCAN were employed to uncover latent behavioral groupings within the dataset. These methods successfully identified structured clusters and potential outliers, thereby strengthening behavioral risk profiling within the Zero Trust model. While the KNN classifier achieved very high accuracy (approximately 99%), its AUC-ROC score of 0.5 revealed limited separability between classes, suggesting potential class imbalance or threshold sensitivity. This highlights the importance of evaluating multiple performance metrics rather than relying solely on accuracy. Furthermore, the use of Bayesian Optimization for hyperparameter tuning significantly enhanced model stability and performance. Optimized models demonstrated improved predictive capability while maintaining computational efficiency, making them suitable for real-time deployment scenarios.

Overall, the findings confirm that integrating machine learning with multifactor authentication can substantially enhance Zero Trust implementations. The proposed framework enables dynamic, risk-based access decisions, continuous verification, and adaptive responses to anomalous behavior. Consequently, organizations adopting this approach can strengthen their security posture and better defend against evolving cyber threats. Although the proposed framework achieved promising results, several directions remain for future enhancement:

• Improving metric consistency:Address inconsistencies observed between Accuracy, F1-score, and AUC-ROC—particularly in anomaly detection scenarios—by investigating class imbalance handling techniques such as resampling, cost-sensitive learning, or threshold calibration.
• Exploring advanced models:Evaluate alternative algorithms, including ensemble methods (e.g., Random Forest, Gradient Boosting, XGBoost) or deep learning architectures, to improve robustness and generalization performance.
• Enhancing feature engineering: Incorporate additional contextual and behavioral features, such as device fingerprinting metrics, network-level indicators, and session-based temporal features, to strengthen authentication reliability.
• Dataset expansion and continuous learning: Continuously update and refine datasets to reflect emerging cybersecurity threats. Implement incremental or online learning strategies to allow the model to adapt dynamically without complete retraining.
• Real-time adaptive response mechanisms: Develop automated policy-driven response systems capable of executing step-up authentication, session isolation, or temporary access blocking upon anomaly detection.
• Integration with enterprise infrastructure: Evaluate the framework within real-world enterprise environments to assess scalability, latency, and operational feasibility under production workloads.