Security anomalies
An anomaly is behavior by a particular source that is outside of the “normal” timeframe or scope of the particular database or user's activity. Anomaly detection can indicate a security violation, even if the activities themselves do not directly violate an existing security policy.
Each rule, except for Server encounter first time in the audit, sets the TRUST
LEVEL score to MEAN in the Session report. For all rules, the messages are
generated in the Connection Exceptions report when a suspicious activity is
found.
Note: The Connection Exceptions report data displays in managed user
environments, unless you populate the Exception table on the central manager.
In addition, anomaly detection begins after Guardium detects a sufficient number of unique connections. The number of "sufficient connections" to detect anomalies is based on your environment and set without user involvement, but it is always greater than 1000 connections.
The Security anomalies
policy contains the following rules:
- Suspicious client connection
- This rule identifies when new client connects to a server. Any unknown client hostname that is encountered after Guardium® detects a sufficient number of connections is considered suspicious.
- Suspicious DB user connection
- The S-TAP encountered an unknown or unexpected database type. Any unknown DB user connection that is encountered after Guardium detects a sufficient number of connections is considered suspicious.
- Suspicious OS user and DB user combination connection
- An unexpected combination of OS user and database user was detected. Any new combination of DB User and OS User after Guardium detects a sufficient number of connections is considered suspicious.
- Suspicious OS user connection
- A new OS user connected to a server. Any unknown OS user that is encountered after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected DB type per server IP identification
- A new database user connected to a server. Any unknown database user that connects to a specific server after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected command on connection start
- An unexpected command was used at the connection start. Any new command on connection start that is seen after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected error on connection start
- An unexpected error occurred at the connection start. Any new error on connection start that is seen after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected client time zone
- Any client connection from a new time zone that is seen after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected authentication type
- Client connected by using an unexpected authentication type. Any new authentication type for this client that is seen after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected authentication type for this DB type
- Unexpected authentication type used for this database. Any new authentication type for this database type that is seen after Guardium detects a sufficient number of connections is considered suspicious.
- Unexpected client OS name
- A new OS client connected to a server. Any unknown client OS name that is encountered after Guardium detects a sufficient number of connections is considered suspicious.
- Server encounter first time in the audit
- An unknown S-TAP is found for this server IP address. The first time a previously unseen server connects is considered an anomaly.