Skip to main content

Our Outlier Detection system detects unusual suspicious activities of the monitored entities (e.g., users, servers). Such suspicious activities can reveal otherwise unnoticed security attacks going on in the background. A typical example of such attacks is the insider attack where a compromised privileged account is used to steal sensitive information from organization. Such an attack can originate from the account owner who may be a disgruntled employee of the organization, or by a malicious hijacking of the account, for example by password theft. In any case, insider attacks are more immune to traditional security mechanisms like fire-walls, and are much better handled using analytic methods like outlier detection.

The Outlier Detection system, based on advanced statistical and machine learning techniques, automatically builds behavioral models that describe what constitutes "normal" behavior of the modeled entities. These models are based on historical data and are then compared to ongoing observed activities. The Outlier Detection system doesn't rely on attack signatures and is able to detect zero-day attacks. The system creates a holistic view of the typical behavior of the monitored entities by clustering similar entities together and taking multiple aspects of observed activities into account. This in turn improves precision and accuracy of the detection of suspicious activities. In addition, the system can be easily customized for new types of monitored entities and their related aspects.

The Outlier Detection system is successfully being used industrially by IBM customers for the protection of large scale database systems as part of IBM Security Guardium platform, where database access logs are analyzed for unusual behavioral patterns of users or servers. Future development directions include the deployment of Outlier Detection cloud based services and more scalable Big Data solutions based on Spark cluster computing technologies.