Machine learning user risk score calculations

Introduction

Advanced adaptive capability powered by machine learning provides a new method to prevent bad actors from impersonating authorized users to gain access to a protected site. Such attackers could have compromised credentials via social engineering or phishing tactics; obtained credentials beforehand from a source on the the dark web or by compromising another third party organization; or created new credentials within an organization they already breached.

The new Adaptive Authentication method, available in SecureAuth IdP version 9.3, requires SecureAuth's Prevent Threat Service package. Machine learning is used to track and analyze the login behavior patterns of authorized users for a period of time to identify their normal login patterns. Each user is assigned a risk score based on the current login behavior for that user in comparison to login behaviors of users with similar behavior patterns. A user's risk score may fluctuate based on login event factors.

When a login attempt is made, the login behavior pattern of the user attempting to authenticate is compared to the pattern of the authorized user that individual claims to be. A mismatch between patterns would now assign a higher risk score to that user and prompt a step-up in authentication requirements, or denial of access to the protected site.

Notice

By default, all new SecureAuth IdP version 9.3 appliances and appliances upgraded to this version have machine learning enabled. However, this feature is only activated in an environment with a licensed Prevent Threat Service package applied to the SecureAuth IdP.

Contact SecureAuth Support to:

Upgrade to the Prevent Threat Service package
Upgrade to SecureAuth IdP v9.3

Machine learning analysis and user risk score assignment

Machine learning analyzes information gathered from a user's login behavior pattern during a period of time and assigns a risk score to that user to dictate how to handle an authentication request. This risk score is based on whether the user is a low, medium, or high risk user, in comparison to other users with similar login behavior patterns. A user's risk score might fall within a range of 0 to 100 – with 100 indicating a high risk score – and can change, since a user could have a different login behavior pattern in the past compared to the present time.

For example, if during the past two months a user consistently logged in at about 9:00 a.m., and now the user is logging in at 2:00 a.m., the risk score increases and 2-Factor Authentication is required to identify the user.

Machine learning analyzes the following user data from logs:

Usual time of day the user logs in
Usual days of the week the user logs in
IP address used when logging in
Passed or failed authentication attempts
- Tracking these login events can identify an unusually high number of successes or failures

NOTE: If using SailPoint IdentityIQ and / or Exabeam UEBA, risk scores from these third party platforms are calculated apart from SecureAuth's user risk score.

Warning

SecureAuth strongly recommends not blocking users based on their machine learning scores. At this time, there is no way to unlock an account of a user blocked as a result of their machine learning user risk score.

User risk score components

The user risk score calculation includes the following data for login events across a period of time:

User's current risk score
User ID
Time of day the user logged in
Day of the week the user logged in
IP address used when logging in, which identifies the user's location
Realm the user accessed
Login event status – passed, failed, or other transaction information unique to the login event

User risk score log

The user risk score log can be found at D:\SecureAuth\AnalyzeAPILogs

Sample log entry

2018/11/12 20:10:35.484|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"-10","LastActivity":"1541304000","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Active Directory","Threat":"Potential Account Misuse","Alert":"It was very unusual that {{entity name=\"ruaqtok3lymy2tb/r9c7ta6dbzm=\" hash=\"bcf24f9dec573fe8\" type=\"user\"risk=45showRiskBall=false}} attempted to log in, having only had 1 day with login attempts.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":32,"Message":null}],"Status":"Success","Message":[]}|

The log includes this information:

Type of log component	Log component from sample log entry above
User's current risk score	"Score":32
Change from last risk score	"ScoreChange":"-10"
Type of risk	"Potential Account Misuse"
Reason for change of score / analysis of risk	"Alert":"It was very unusual that {{entity name=\"ruaqtok3lymy2tb/r9c7ta6dbzm=\" hash=\"bcf24f9dec573fe8\" type=\"user\" risk=45 showRiskBall=false}} attempted to log in, having only had 1 day with login attempts."
Adaptive Authentication risk level (based on the configured threshold)	risk=45

2018/11/08 18:50:35.748|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"-2","LastActivity":"1540828800","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Active Directory","Threat":"Potential Internal Recon","Alert":"It was slightly unusual for {{entity name=\"xouwuyykr/io+rqdr3knzime3sg=\" hash=\"96a8662b6f005093\" type=\"user\" risk=70 showRiskBall=false}} to attempt to log into 3 unique servers in an hour; {{entity name=\"xouwuyykr/io+rqdr3knzime3sg=\" hash=\"96a8662b6f005093\" type=\"user\" risk=70 showRiskBall=false}} typically attempts to log into 1.3 servers in an hour.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":5,"Message":null}],"Status":"Success","Message":[]}|                                                                                                                                                                                                                                                                                                                                                                                          
2018/11/08 20:33:31.446|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"-6","LastActivity":"1540828800","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Active Directory","Threat":"Potential Compromised Account","Alert":"It was very unusual that {{entity name=\"hcodgeemzy3tyy2yuugvdx2lmkm=\" hash=\"761d75e0f476634f\" type=\"user\" risk=47 showRiskBall=false}} failed on login attempts {{#hover title=\"\"}}(event code -1){{/hover}} at {{entity name=\"Slack-52\" hash=\"c46ed0353feabce2\" type=\"server\" risk=100 showRiskBall=true}}, having only had 1 day with failed login attempts.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":10,"Message":null}],"Status":"Success","Message":[]}|                                                                                                                                                                                                                                                                                                                                                                                             
2018/11/08 20:42:01.890|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"-13","LastActivity":"1540828800","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Active Directory","Threat":"Potential Lateral Movement","Alert":"It was unusual that {{entity name=\"fr7mdrblnfdspfyrm7f5zgn8mko=\" hash=\"444bcb1c7cce2118\" type=\"user\" risk=95 showRiskBall=false}} logged {{#hover title=\"\"}}(event code -1){{/hover}} into {{entity name=\"Sharefile login-37\" hash=\"4d48dbd837b0df61\" type=\"server\" risk=100 showRiskBall=true}}, having only had 3 days with logins.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":26,"Message":null}],"Status":"Success","Message":[]}|                                                                                                                                                                                                                                                                                                                                                                                                                                                                        
2018/11/08 21:52:02.815|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"0","LastActivity":"1540828800","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Common","Threat":"Suspicious Activity","Alert":"{{entity name=\"tv0eiqjamvpsbg4wpbjqdrt4kv4=\" hash=\"7d006e4a1e8f3905\" type=\"user\" risk=45 showRiskBall=false}} worked this day, which was unusual based on past activity.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":2,"Message":null}],"Status":"Success","Message":[]}|                                                                                                                                                                                                                                                                                                                                                                                         
2018/11/08 22:20:35.538|Trace|SecureAuth.AnalyzeEngine.API.Controllers.API.V1.UserRiskController|[LogResponse] Response: {"RiskScores":[{"ScoreChange":"-2","LastActivity":"1540828800","PreDecayedScore":"0","DecayedToTimestamp":"0","Category":"Active Directory","Threat":"Potential Account Misuse","Alert":"It was very unusual that {{entity name=\"6j+5zbrwzyjrib5he/mryr/ng7u=\" hash=\"5ed7cc0af865ecad\" type=\"user\" risk=45 showRiskBall=false}} attempted to log in, having only had 1 day with login attempts.","ProviderName":"SecureAuth User Risk","Risk":"Low","Score":3,"Message":null}],"Status":"Success","Message":[]}|

In this section: