Resource Access Pattern Analysis
Analyzing the resources accessed by a user to identify unauthorized activity.
How it works
This technique analyzes a user's resource accesses by comparing the user's recent activity against a baseline activity model. Major differences between the current activity and the baseline model might indicate unauthorized activity if they are severe enough.
- Potential for false positives from anomalies that are not associated with malicious activity.
- Attackers that move low and slow may not differentiate their resource access activity behavior enough to trigger an alert.
The following references were used to develop the Resource Access Pattern Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Host intrusion prevention system using software and user behavior analysis
The patent describes a technique for performing behavior based threat detection. User and code behavior data is collected and stored to create baseline user and code behavior profiles. User behavior data collected over a user session or over multiple sessions can include a user:
- clicking on a link
- scrolling down a page
- opening or closing a window
- downloading a file
- saving a file
- running a file
- typing a keyword
Code behavior monitored includes code:
- copying itself to a system folder
- setting a run key to itself in the registry
- setting a second runkey to itself in the registry in a different location
- disabling OS tools in the registry
- opening a hidden file
The user interaction and the code process executed during the user session are monitored and compared with predetermined malicious behavior profiles that are typically present in a malicious user session. The predetermined collection of malicious behaviors are created based on analysis of families of malware in run time in a threat research facility. If a match is made an action is taken that can include isolating the computer on which the user interaction occurs and limiting network access to or from the computer.
Method and Apparatus for Network Fraud Detection and Remediation Through Analytics
This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:
- logon and logoff times and locations
- starting or ending applications
- reading or writing files
- changing an entity 's authorization
- monitoring network traffic
User events that deviate from the entity profile over a certain threshold trigger a remedial action.
Modeling user access to computer resources
System, method, and computer program product for detecting and assessing security risks in a network
This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:
- client devices from which the user logs in
- servers accessed
- data accessed
- applications accessed
- session duration
- logon time of day
- logon day of week
- geo - location of logon origination
The system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.
System and method thereof for identifying and responding to security incidents based on preemptive forensics
This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:
- URLs visited
- data downloaded or streamed
- messages received and sent
- amount of memory used for processing
The data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert.