How do I analyze account exceptions? Look here!

Shopping, payment, games, social software account stolen news is not uncommon, the harm of the big imaginable!

Frequently used network accounts, the host account theft may lead to information disclosure, funds are diverted, or as a springboard to the important assets of a series of attacks. Who is responsible for these losses, many industries do not have clear identification and tracing methods, so the biggest victims are often the users themselves.

A company has a lot of employees, everyone has many types of accounts. Because of the overall number of total staff accounts, some accounts have been stolen, when the obvious loss, it is easy to be detected, can take remedial measures. But there is no obvious loss, it is possible for a long time will not be discovered, it will be long-term use by the attackers, the harm may be greater.

Due to the difference in account privileges, it is difficult to easily determine how much scope of activity is considered a violation, due to the complexity of the business, it is difficult to accurately determine whether the account is in a normal state or abnormal state.

Below, we will use the principle of statistical law and machine learning to establish the corresponding data model through FEA to analyze the abnormal situation of account.

First, the relevant data modeling of the account number

We should analyze and learn historical data first, and describe and establish normal behavior model.

Modeling, generally using time series and Markov process methods. Analyze account Access frequency, online duration, common logon time periods, specific content of access to data and other factors, according to different aspects of the behavior characteristics, the establishment of normal behavior model.

After the normal model is established, it can analyze and detect the deviation degree of the user's actual activity and normal model, whether it is within a certain threshold, make inference to the user's behavior, and find out whether there is any abnormal behavior.

1. Access Frequency model

Based on the historical log data, combined with related factors, the time series model is established.

2. Active level model

Based on the user's usual online time period, online length, activity level and other models.

3. Sensitive data Access Volume model

Based on the time series of sensitive data access, such as user access to SVN server, download code, important data, such as the modification of the upload of time series model.

second, the image of the characteristics of the account

According to the established normal model and the account of the use of the environment of some basic elements of discrimination, to the account image. According to a variety of audit logs, host logs, data flow information, analysis of the past commonly used IP, common tools, geographical location, such as the use of environmental conditions, from different angles to the user to outline, to determine its basic outline.

1. Basic elements

Account name, common IP, city, common browser, common software client, login frequency, activity level, access Protocol, common access time period.

2. Dynamic Update

With the change of time, the change of user environment, the behavior of users may change greatly, the original image may be invalid, it is necessary to analyze and update the image, it is necessary to have a reasonable mechanism to discriminate and update, to improve the accuracy in practical application.

Third, account-based correlation analysis

1. Pre-and post-business linkages

In real business, many users of the operating habits of the situation before and after, such as SSH or Remote Desktop account login to the server to do some operations, generate files, and then use the FTP,SFTP account to download files.

The design logic of the business system will also make the relationship between the different account business, such as the use of HTTP account to access the Web site, will trigger the site through an account access to the back-end database, this business operation has an association. Through Apriori and other algorithms, analysis of the relationship between account business operations.

2, with the account number of multi-IP, with IP multi-account analysis

Through a large number of data analysis, the same IP has more than one type of account login, the use of public accounts, remote landing, etc. is easy to find problems. For example, an account first login in Beijing, 5 minutes after the login in Chengdu, the possibility of password leakage is greater.

3, Account Group division

By the account of the similarity calculation and cluster analysis, the account group is divided into different accounts cluster. Analysis of clusters prone to anomalies is more conducive to the synthesis of individual and group relationships, better analysis of the user's individual behavior changes or user group behavior changes.