User Data Transfer Analysis
Definition
Analyzing the amount of data transferred by a user.
How it works
Unusual data transfer activity may indicate unauthorized activity. Data transfers can be analyzed by collecting network traffic or application logs.
Considerations
- There is a potential for false positives from anomalies that are not associated with unauthorized activity.
- Attackers that move low and slow may not differentiate their data transfer behavior enough for an alert to trigger.
References
The following references were used to develop the User Data Transfer Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
System and method thereof for identifying and responding to security incidents based on preemptive forensics
MITRE Comments
This patent describes detecting abnormal behavior related to a security incident by collecting and analyzing forensic data in real time. Forensic data may include:
- URLs visited
- data downloaded or streamed
- messages received and sent
- amount of memory used for processing
The data is then analyzed according to a set of dynamically created rules to determine normal behavior patterns associated with the network or user devices. Anomalies between current behavior and normal behavior patterns trigger an alert.
System for implementing threat detection using threat and risk assessment of asset-actor interactions
MITRE Comments
The patent describes an insider threat detection system that analyzes packets sent within a network to identify and isolate malicious behavior. Current network traffic is collected and developed into a baseline that establishes the amount of data sent and received between a specific asset and a host. Current data transfer values are then compared with the baseline to identify anomalies.