A platform and analytics for usage and entitlement analytics

Abstract

As illustrated by recent high-profile cases such as WikiLeaks and Snowden, information exfiltration is one of the key motivations for cyber-attacks. In this paper, we describe our approach to detect misuse of authorizations by insiders based on detection of anomalous user activity. Our system is based on novel machine learning algorithms to build multidimensional user profiles, which are then used to alert administrators upon detection of significant deviation in a user's behavior. Key components to our profiling are generative models of user activity, which are intended to produce the best probabilistic model to explain observed activity. We have deployed these models on a range of applications such as monitoring access to source code repositories, security subsystem activity in mainframe systems, web application logs, and other proprietary applications. Extensive testing of our system with more than six years of user activity, and multiple red-teaming exercises have enabled us to tune our analytics to produce accurate results with very low false positive rates. Our analytic models are currently in use today to monitor a number of sensitive assets within IBM.