Esc

User Geolocation Logon Pattern Analysis

D3-UGLPA
D3-UGLPA (User Geolocation Logon Pattern Analysis)

Definition

Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.

How it works

Geolocation data for each user logon attempt is collected and used to create a baseline user behavior profile. Current geolocation logon data is then compared against the user behavior profile. Logon activity that deviates from normal patterns and can help in identifying situations that may be indicative of a remote attacker using stolen credentials. For example:

  • logons from locations that are different from where a user usually logs in
  • logons from a location in which an enterprise has no users located
  • logon that is not physically possible given the elapsed time since a logon from another location.

Considerations

  • Potential for false positives from logon anomalies that are not associated with malicious activity.
  • Attackers may not differentiate their logon behavior enough to trigger an alert.
loading...
json
loading...

References

All
Patent

The following references were used to develop the User Geolocation Logon Pattern Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Method and Apparatus for Network Fraud Detection and Remediation Through Analytics

MITRE Comments

This patent describes determining a confidence score to detect anomalies in user activity based on comparing a user's behavior profile with current user activity events. The following types of events are used to develop a user entity profile:

  • logon and logoff times and locations
  • starting or ending applications
  • reading or writing files
  • changing an entity 's authorization
  • monitoring network traffic

User events that deviate from the entity profile over a certain threshold trigger a remedial action.

Reference Type: Patent Organization: Idaptive LLC Author: Yanlin Wang; Weizhi Li
Source: https://patents.google.com/patent/US20190081968A1/en

System, method, and computer program product for detecting and assessing security risks in a network

MITRE Comments

This patent describes calculating a risk score to detect anomalies in user activity based on comparing a user's current session with a user behavior model. The user behavior model is comprised of a number of histograms including:

  • client devices from which the user logs in
  • servers accessed
  • data accessed
  • applications accessed
  • session duration
  • logon time of day
  • logon day of week
  • geo - location of logon origination

The system has an initial training period with x number of days (e. g., 90 days) in which session data is recorded in behavior models before behavior analysis begins.The histograms are then used to determine anomalies between current session activity and a user's behavior model. Values for a histogram category are along one axis and the number of times the value is received for the category is along another axis. If a data point value associated with the current user session is over an anomaly threshold, an alert is generated.

Reference Type: Patent Organization: Exabeam Inc Author: Sylvain Gil; Domingo Mihovilovic; Nir Polak; Magnus Stensmo; Sing Yip
Source: https://patents.google.com/patent/US20190034641A1

A knowledge graph of cybersecurity countermeasures