User Behaviour Analytics on Active Directory (ADUBA)
Goal
Trains a model from the customer’s data to detect anomalous user logins.
Description
Our objective is to train a model from the customer’s data to detect anomalous user logins. This logins will be analysed according to three criteria, generating a separate prediction for every field
Time
Device
Location (country)
Then, we will combine the three predictions to generate the alert. For this use case we will consider failed and successful logins.
Even though this model has been developed with AD in mind, it can easily be adapted to any user management system given the specific filter for the data.
Characteristics
Data involved
For this use case we will rely on Active Directory. More specifically, we will use the events that match the following:
Task: logon
Event id: 4624 and 4625
Logon Types: 2, 7, 9, 10, 11, 12, 13
This means we are considering local and remote logins whether they are successful or failed.
Alert Generation
Implementation brief
For this use case we have prepared three different models. One for each aspect to consider. Each model is summarised as follows:
Time model: we train a clustering model (KMeans) for every user in the company. The centroids of the model will represent normal behaviour and the distance to these centroids the deviation from normal.
Device and Location: we will use a frequency table in order to categorise each device or location as already recorded or not. We will consider it as anomalous if the location/device has not been recorded before at least a certain amount of times.
Raw outputs of the model
The model itself, from a lower level perspective, produces the following outputs:
A boolean value containing whether the device and location were already registered. It could be changed to a numerical value representing the number of records for that specific device or location.
Regarding time, the output is a numerical value that represents the difference in hours from normal behaviour.
Last updated