Esc

Authorization Event Thresholding

D3-AZET (Authorization Event Thresholding)

Definition

Collecting authorization events, creating a baseline user profile, and determining whether authorization events are consistent with the baseline profile.

How it works

Authorization event data is collected to create a baseline user profile. Authorization events that deviate from the baseline and exceed a static or dynamic threshold are identified for further action. Authorization events can include successful and failed authorization attempts as well as events related to permissions including viewing, editing, deleting, creating files, databases etc.

Considerations

Depending on the complexity of the data considered, outliers may not be obvious to a human analyst reviewing events in simplistic analytic views. If malicious activity is not statistically different from benign activity, an alert threshold will not be met.

json

References

All

Patent

External Knowledge Base

The following references were used to develop the Authorization Event Thresholding knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Method and Apparatus for Network Fraud Detection and Remediation Through Analytics

MITRE Comments

This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:

logon and logoff times and locations
starting or ending applications
reading or writing files
changing an entity 's authorization
monitoring network traffic

User events that deviate from the entity profile over a certain threshold trigger a remedial action.

Reference Type: Patent Organization: Idaptive LLC Author: Yanlin Wang; Weizhi Li

Source: https://patents.google.com/patent/US20190081968A1/en

CAR-2013-09-003: SMB Session Setups

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE

Source: https://car.mitre.org/analytics/CAR-2013-09-003/

System, method, and computer program product for detecting and assessing security risks in a network

MITRE Comments

This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:

client devices from which the user logs in
servers accessed
data accessed
applications accessed
session duration
logon time of day
logon day of week
geo - location of logon origination

The system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.

Reference Type: Patent Organization: Exabeam Inc Author: Sylvain Gil; Domingo Mihovilovic; Nir Polak; Magnus Stensmo; Sing Yip

Source: https://patents.google.com/patent/US20190034641A1

CAR-2013-02-012: User Logged in to Multiple Hosts

Reference Type: External Knowledge Base Organization: MITRE Author: MITRE

Source: https://car.mitre.org/analytics/CAR-2013-02-012/

D3FEND^™

A knowledge graph of cybersecurity countermeasures