Secure and Govern has recently released an improved and expanded ML detection model for the Unusual Access Analysis Rule. The new multivariate detection model is discussed in further detail below

General

What is the Unusual Access Multivariate Anomaly Detection model?

The new multivariate anomaly detection model that detects Unusual Access anomalies. The improved model focuses on file access/download and file deletion anomalies. The following model now considers the following variants for Unusual Access detections:

    1. The volume of files (accessed/downloaded and/or deleted)
    2. Sensitivity of the files 
    3. Location of access
    4. Time-of-day of access

Can I control which model variants are used for Unusual Access detections?

Yes, each of the variants can be turned on/off independently.

mceclip2.png

For existing customers, only "File access/downloads" and "File deletes" are enabled by default. For new customers, all variants are enabled by default.

Model Variants

Number of Files Accessed/Downloaded

Number of Files Deleted

Number of Sensitive Files Accessed/Downloaded

Number of Files Accessed/Downloaded by Location

Number of Files Accessed/Downloaded by Time of Day

 

Number of Files Accessed/Downloaded

Detects unusual file access/download patterns using user-based Machine learning.

How does the model variant work

This variant of the ML model works on a per-user basis and captures daily file accessed/downloaded patterns for each user.

Example: The current user-based model prediction for User A = 30 files accessed/downloaded

  • If User A has 35 files accessed/downloaded on a given day, the user has exceeded their predicted rate of 30 and an Unusual Access anomaly will be detected
  • If User A has 25 files accessed/downloaded on a given day, the user has NOT exceeded their predicted rate of 30 and an Unusual Access anomaly will NOT be detected

The above example does not take into account the "threshold" settings discussed below

What settings can be modified to change the number of detections?

  • Minimum file threshold
  • Sensitivity threshold (low, medium, high)

mceclip5.png

Minimum file threshold and Sensitivity threshold work independently. Changing Sensitivity threshold from low to medium does NOT change or impact the Minimum file threshold

How does Minimum file threshold work?

The minimum file threshold sets the minimum number of files accessed/downloaded required to generate an Unusual Access detection. The minimum file threshold works independently from user-based model predictions and sensitivity threshold.

Example #1: Minimum file threshold = 20 and user-based model prediction = 15 files accessed/downloaded

  • If user has 18 files accessed/downloaded, the user has exceeded their predicted rate of 15, but has NOT exceeded the minimum file threshold of 20. An Unusual Access anomaly will NOT be detected

Example #2: Minimum file threshold = 20 and user-based model prediction = 30 files accessed/downloaded

  • If a user has 25 files accessed/downloaded, the user has NOT exceeded their predicted rate of 30 but has exceeded the minimum file threshold of 20. An Unusual Access anomaly will NOT be detected
  • If a user has 35 files accessed/downloaded, the user has exceeded their predicted rate of 30 and has also exceeded the minimum file threshold of 20. An Unusual Access anomaly will be detected

The above example does not take into account the "Sensitivity threshold" setting discussed below

What happens when I change the Minimum file threshold?

Any minimum file threshold changes will automatically affect any future Unusual Access detections

Example: Changing threshold from 10 to 50

  • No future Unusual Access detections will occur for any user that has less than 50 files accessed/downloaded

How does Sensitivity threshold work? 

Sensitivity threshold works in conjunction with user-based model prediction. The Sensitivity threshold determines the multiplier that is applied to the user-based predictions in order to determine when an Unusual Access anomaly is detected. 

  • Sensitivity threshold does NOT change or impact the minimum file threshold
  • A Sensitivity setting of "Low" will generate the most detections while a Sensitivity setting of "High" will generate the least amount of detections
  • Sensitivity settings are tied to multipliers for each user:
    • Low = Multiplier of 1
    • Medium = Multiplier of 3
    • High = Multiplier of 10

Example: The user-based model prediction = 10 files accessed/downloaded per day for User "A"

  • If Sensitivity threshold is set to "Low", the user-based model prediction would still be 10 (10 x 1) files accessed/downloaded per day for User "A"
  • If Sensitivity threshold is set to "Medium", the user-based model prediction would now be 30 (10 x 3) files accessed/downloaded per day for User "A"
  • If Sensitivity threshold is set to "High", the user-based model prediction would now be 100 (10 x 10) files accessed/downloaded per day for User "A"

The above example does not take into account the "Minimum file threshold" setting discussed above

What happens when I change the Sensitivity threshold?

Any changes will automatically affect any future Unusual Access detections.

Example: Changing threshold from medium to high

  • The Sensitivity threshold multiplier changes from 3 to 10

 

Number of Files Deleted

Detects unusual file deletion patterns using user-based Machine learning.

How does the model variant work?

This variant of the ML model works on a per-user basis and captures daily file deletion patterns for each user.

Example: The current user-based model prediction for User A = 30 deleted files

  • If User A has 35 files deleted on a given day, the user has exceeded their predicted rate of 30 and an Unusual Access anomaly will be detected
  • If User A has 25 files deleted on a given day, the user has NOT exceeded their predicted rate of 30 and an Unusual Access anomaly will NOT be detected

The above example does not take into account the "threshold" settings discussed below

What settings can be modified to change the number of detections?

  • Minimum file threshold
  • Sensitivity threshold (low, medium, high)

mceclip5.png

Minimum file threshold and Sensitivity threshold work independently. Changing Sensitivity threshold from low to medium does NOT change or impact the Minimum file threshold

How does Minimum file threshold work?

The minimum file threshold sets the minimum number of deleted files required to generate an Unusual Access detection. The minimum file threshold works independently from user-based model predictions and sensitivity threshold

Example #1: Minimum file threshold = 20 and user-based model prediction = 15 deleted files

  • If a user has 18 deleted files, the user has exceeded their predicted rate of 15, but has NOT exceeded the minimum file threshold of 20. An Unusual Access anomaly will NOT be detected

Example #2: Minimum file threshold = 20 and user-based model prediction = 30 deleted files

  • If a user has 25 deleted files, the user has NOT exceeded their predicted rate of 30, but has exceeded the minimum file threshold of 20. An Unusual Access anomaly will NOT be detected
  • If a user has 35 deleted files, the user has exceeded their predicted rate of 30 and has also exceeded the minimum file threshold of 20. An Unusual Access anomaly will be detected

The above example does not take into account the "Sensitivity threshold" setting discussed below

What happens when I change the Minimum file threshold

Any minimum file threshold changes will automatically affect any future Unusual Access detections

Example: Changing threshold from 10 to 50

  • No future Unusual Access detections will occur for any user that has less than 50 deleted files

How does Sensitivity threshold work?

Sensitivity threshold works in conjunction with user-based model prediction. The Sensitivity threshold determines the multiplier that is applied to the user-based predictions in order to determine when an Unusual Access anomaly is detected. 

  • Sensitivity threshold does NOT change or impact the minimum file threshold
  • A Sensitivity setting of "Low" will generate the most detections while a Sensitivity setting of "High" will generate the least amount of detections
  • Sensitivity settings are tied to activity percentiles for each user:
    • Low = 90% or higher
    • Medium = 95% or higher
    • High = 99% or higher

Example: In the chart below, the user ranges of 5-80 deleted files a day.

  • The median or average, for this user, is ~41 deleted files. 
  • If Sensitivity threshold is set to "Low", an Unusual Access detection would occur at ~64 deleted files or higher
  • If Sensitivity threshold is set to "Medium", an Unusual Access detection would occur at ~71 deleted files or higher
  • If Sensitivity threshold is set to "High", an Unusual Access detection would occur at ~78 deleted files or higher

mceclip6.png

User Detection Frequency = The number of days a user deletes "x" number of files

User Daily Files Deleted = The actual number of files a user deleted per day

The above example does not take into account the "Minimum file threshold" setting discussed above

What happens when I change the Sensitivity threshold?

Any changes will automatically affect any future Unusual Access detections

Example: Changing threshold from medium to high

  • Unusual Access detections will only occur when a user crosses over the 99% file threshold (instead of 95%)

 

Number of Sensitive Files Accessed/Downloaded

Detects unusual Sensitive file access/download patterns using user-based Machine learning.

How does the model variant work?

This variant of the ML model works on a per-user basis and captures daily Sensitive file accessed/downloaded patterns for each user.

Example: The current user-based model prediction for User A = 15 sensitive files accessed/downloaded

  • If User A has 20 sensitive files accessed/downloaded on a given day, the user has exceeded their predicted rate of 15 and an Unusual Access anomaly will be detected
  • If User A has 12 sensitive files accessed/downloaded on a given day, the user has NOT exceeded their predicted rate of 15 and an Unusual Access anomaly will NOT be detected

The above example does not take into account the "threshold" settings discussed below

What settings can be modified to change the number of detections?

  • Sensitivity threshold (low, medium, high)

mceclip7.png

Only the Sensitivity threshold is available for this model variant. The minimum file threshold only applies to the "files deleted" and files accessed/downloaded" model variants

How does Sensitivity threshold work?

Sensitivity threshold works in conjunction with user-based model prediction. The Sensitivity threshold determines the multiplier that is applied to the user-based predictions in order to determine when an Unusual Access anomaly is detected. 

  • A Sensitivity setting of "Low" will generate the most detections while a Sensitivity setting of "High" will generate the least amount of detections
  • Sensitivity settings are tied to activity percentiles for each user:
    • Low = 90% or higher
    • Medium = 95% or higher
    • High = 99% or higher

Example: In the chart below, the user ranges of 2-33 sensitive files accessed/downloaded a day.

  • The median, for this user, is ~18 deleted files. 
  • If Sensitivity threshold is set to "Low", an Unusual Access detection would occur at ~27 sensitive files accessed/downloaded or higher
  • If Sensitivity threshold is set to "Medium", an Unusual Access detection would occur at ~30 sensitive files accessed/downloaded or higher
  • If Sensitivity threshold is set to "High", an Unusual Access detection would occur at ~32 sensitive files accessed/downloaded or higher

mceclip8.png

User Detection Frequency = The number of days a user accesses/downloads "x" number of sensitive files

User Daily Sensitive Files Accessed/Downloaded = The actual number of sensitive files a user accessed/downloaded per day

What happens when I change the Sensitivity threshold?

Any changes will automatically affect any future Unusual Access detections

Example: Changing threshold from medium to high

  • Unusual Access detections will only occur when a user crosses over the 99% file threshold (instead of 95%)

Number of Files Accessed/Downloaded by Location

Detects unusual file access/download patterns by location using user-based Machine learning.

How does the model variant work?

This variant of the ML model works on a per-user basis and captures daily file accessed/downloaded patterns, based on distance from the primary location, for each user. The model variant identifies a user's most common single location (primary location) and calculates an acceptable median distance (x number of miles/kilometers) from that location. The median distance is NOT a defined or a set number of miles/kilometers. Acceptable median distance will be determined by a user's usage patterns.

  • The model will analyze user history to define a median distance in order to prevent work from home detections
  • When the model identifies a location(s) that is outside the acceptable median distance, based on user history, an Unusual Access detection will occur

Example: The user-based model prediction median distance = 20 miles from their primary location for User "A"

  • If user "A" accesses/downloads files 25 miles from their primary location an Unusual Access anomaly will be detected
  • If user "A" accesses/downloads files 20 miles or less from their primary location an Unusual Access anomaly will NOT be detected

The above example does not take into account the "threshold" settings discussed below

What settings can be modified to change the number of detections?

  • Sensitivity threshold (low, medium, high)

mceclip7.png

Only the Sensitivity threshold is available for this model variant. The minimum file threshold only applies to the "files deleted" and files accessed/downloaded" model variants

How does Sensitivity threshold work?

Sensitivity threshold works in conjunction with user-based model prediction. The Sensitivity threshold determines the multiplier that is applied to the user-based predictions in order to determine when an Unusual Access anomaly is detected. 

  • A Sensitivity setting of "Low" will generate the most detections while a Sensitivity setting of "High" will generate the least amount of detections
  • Sensitivity settings are tied to activity percentiles for each user:
    • Low = 90% or higher
    • Medium = 95% or higher
    • High = 99% or higher

Example: In the chart below, the user ranges of 0-32 miles from their Primary Location

  • The median, for this user, is ~16 miles from the primary location 
  • If Sensitivity threshold is set to "Low", an Unusual Access detection would occur at ~26 miles or higher
  • If Sensitivity threshold is set to "Medium", an Unusual Access detection would occur at ~29 miles or higher
  • If Sensitivity threshold is set to "High", an Unusual Access detection would occur at ~31 miles or higher

mceclip9.png

User Detection Frequency = The number of times a user accesses/downloads files

User Location Distance = The actual number of miles from their primary location

What happens when I change the Sensitivity threshold?

Any changes will automatically affect any future Unusual Access detections

Example: Changing threshold from medium to high

  • Unusual Access detections will only occur when a user crosses over the 99% file threshold (instead of 95%)

Number of Files Accessed/Downloaded by Time of Day

Detects unusual file Access/Download patterns by time of day using user-based Machine learning.

How does the model variant work?

This variant of the ML model works on a per-user basis and captures daily file accessed/downloaded patterns, based on time of day, for each user.

The model variant divides a day into 4-hour time buckets (six time buckets total). Here are the time buckets (UTC time zone will be used for detections)

  • 12AM-4AM
  • 4AM-8AM
  • 8AM-12PM
  • 12PM-4PM
  • 4PM-8PM
  • 8PM-12AM

The model then captures file access/download statistics for each time bucket for each user. An Unusual Access detection will occur when:

  • A spike in file access/download activity occurs in any time bucket
  • file access/download activity occurs in an unusual time bucket for a user

Example #1 (new time bucket): The user-based model prediction identifies User A typically has activity in two time buckets: 8AM-12PM and 12PM-4PM

  • If file access/download activity occurs in the 4AM-8AM time bucket an Unusual Access anomaly will be detected
  • If normal file access/download activity occurs in the 8AM-12PM time bucket an Unusual Access anomaly will NOT be detected

Example #2 (access/download spike): The user-based model prediction identifies User A typically has activity from 8AM-12PM and typical activity is 20 files accessed/downloaded 

  • If 25 files are access/download between 8AM-12PM, an Unusual Access anomaly will be detected
  • If up to 20 files are access/download between 8AM-12PM, an Unusual Access anomaly will NOT be detected
  • The above example does not take into account the "threshold" settings discussed below

What settings can be modified to change the number o detections?

  • Sensitivity threshold (low, medium, high)

mceclip7.png

Only the Sensitivity threshold is available for this model variant. The minimum file threshold only applies to the "files deleted" and files accessed/downloaded" model variants

How does Sensitivity threshold work?

Sensitivity threshold works in conjunction with user-based model prediction. The Sensitivity threshold determines the multiplier that is applied to the user-based predictions in order to determine when an Unusual Access anomaly is detected. 

  • A Sensitivity setting of "Low" will generate the most detections while a Sensitivity setting of "High" will generate the least amount of detections
  • Sensitivity settings are tied to activity percentiles for each user:
    • Low = 90% or higher
    • Medium = 95% or higher
    • High = 99% or higher

Example #1: In the chart below, the user ranges of 5-80 files accessed/downloaded a day from 8AM-12PM for user "A"

  • The median, for this user, is ~41 files accessed/downloaded from 8AM-12PM
  • If Sensitivity threshold is set to "Low", an Unusual Access detection would occur at ~64 files accessed/downloaded or higher
  • If Sensitivity threshold is set to "Medium", an Unusual Access detection would occur at ~71 files accessed/downloaded or higher
  • If Sensitivity threshold is set to "High", an Unusual Access detection would occur at ~78 files accessed/downloaded or higher

Time Bucket = 8AM - 12PM

mceclip10.png

User Detection Frequency = The number of days a user accesses/downloads "x" number of files

User Daily Files Accessed/Downloaded = The actual number of files a user accessed/downloaded per day

Example #2: In the chart below, the user ranges of 0-5 files accessed/downloaded a day from 4PM-8PM for user "A"

  • The median, for this user, is ~2.5 files accessed/downloaded from 4PM-8PM
  • If Sensitivity threshold is set to "Low", an Unusual Access detection would occur at ~3.5 files accessed/downloaded or higher
  • If Sensitivity threshold is set to "Medium", an Unusual Access detection would occur at ~4 files accessed/downloaded or higher
  • If Sensitivity threshold is set to "High", an Unusual Access detection would occur at ~4.5 files accessed/downloaded or higher

Time Bucket = 4PM - 8PM

mceclip0.png

User Detection Frequency = The number of days a user accesses/downloads "x" number of files

User Daily Files Accessed/Downloaded = The actual number of files a user accessed/downloaded per day

What happens when I change the Sensitivity threshold?

Any changes will automatically affect any future Unusual Access detections

Example: Changing threshold from medium to high

  • Unusual Access detections will only occur when a user crosses over the 99% file threshold (instead of 95%)

Back to Model Variants