Authentication Event Thresholding
Definition
Collecting authentication events, creating a baseline user profile, and determining whether authentication events are consistent with the baseline profile.
How it works
Authentication event data is collected (logon information such as device id, time of day, day of week, geo-location, etc.) to create an activity baseline. Then, a threshold is determined either through a manually specified configuration, or a statistical analysis of deviations in historical data. New authentication events are evaluated to determine if a threshold is exceeded. Thresholds can be static or dynamic.
Actions
As a result of the analysis, actions taken could include:
- Account Locking
- Raising an alert
Example data sources
- Directory server logs
- VPN Server logs
- IDAM Capability logs
- NAC logs
- Authentication client logs
- Kerberos network traffic
- LDAP network traffic
Considerations
This technique covers statistical outliers. Though depending on the complexity or dimensionality of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If the malicious activity is not statistically different from benign activity, an alert threshold will not be met.
References
The following references were used to develop the Authentication Event Thresholding knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Method and Apparatus for Network Fraud Detection and Remediation Through Analytics
MITRE Comments
This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:
- logon and logoff times and locations
- starting or ending applications
- reading or writing files
- changing an entity 's authorization
- monitoring network traffic
User events that deviate from the entity profile over a certain threshold trigger a remedial action.
CAR-2013-02-008: Simultaneous Logins on a Host
System, method, and computer program product for detecting and assessing security risks in a network
MITRE Comments
This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:
- client devices from which the user logs in
- servers accessed
- data accessed
- applications accessed
- session duration
- logon time of day
- logon day of week
- geo - location of logon origination
The system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.