User Behavior Models for Identity Management
User behavior models can detect security attacks and risks. We have developed models that protect Oracle assets using a unique clustering approach.
User Behavior Models for Identity Management
User Behavior Models for Identity Management
User behavior models can detect security attacks and risks. We have developed models that protect Oracle assets using a unique clustering approach.
Project Overview
Oracle Single Sign On (SSO) is an Identity Management tool created to allow Oracle employees a single point of access to Oracle assets. As such, SSO needs robust protection against security attacks such as password guessing and credential stuffing using (e.g.) stolen credentials purchased on the Darkweb. To provide this protection, we create user behavior profiles for every SSO and VPN user. These profiles are based on user access patterns that are clustered using a non-parametric clustering technique invented at Oracle. User profiles represent normal account behavior, and differences from this normal behavior are flagged as anomalies. Because user behavior change can be normal, e.g., a user starts a new project, and our security investigation resources are limited, we have built applications on top of the user behavior anomaly detection to find anomalies that seem especially concerning. For example, our Hypersonic application looks for SSO logins from 2 locations in a time period for which travel is physically impossible.
Our user behavior models have been ported to the OCI Identity Management environment. This application is more difficult because only log events generated from user actions are available. We need to sequence the events, predict the future event stream, and detect anomalies from low probability future events. We create clusters of users with similar behavior and detect odd behavior, such as a cluster with a single user, and also detect user movement among clusters, which could represent anomalous behavior.