Security anomalies

An anomaly is behavior by a particular source that is outside of the “normal” timeframe or scope of the particular database or user's activity. Anomaly detection can indicate a security violation, even if the activities themselves do not directly violate an existing security policy.

Each rule, except for Server encounter first time in the audit, sets the TRUST LEVEL score to MEAN in the Session report. For all rules, the messages are generated in the Connection Exceptions report when a suspicious activity is found.
Note: The Connection Exceptions report data displays in managed user environments, unless you populate the Exception table on the central manager.

In addition, anomaly detection begins after Guardium detects a sufficient number of unique connections. The number of "sufficient connections" to detect anomalies is based on your environment and set without user involvement, but it is always greater than 1000 connections.

The Security anomalies policy contains the following rules:

Suspicious client connection
This rule identifies when new client connects to a server. Any unknown client hostname that is encountered after Guardium® detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique CLIENT_HOST_NAME that is identified as suspicious.
Suspicious DB user connection
The S-TAP encountered an unknown or unexpected database type. Any unknown DB user connection that is encountered after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique DB_USER identified as suspicious.
Suspicious OS user and DB user combination connection
An unexpected combination of OS user and database user was detected. Any new combination of DB User and OS User after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique OS_USER and DB_USER combination that is identified as suspicious.
Suspicious OS user connection
A new OS user connected to a server. Any unknown OS user that is encountered after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique OS_USER that is identified as suspicious.
Unexpected DB type per server IP identification
A new database user connected to a server. Any unknown database user that connects to a specific server after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique DB_TYPE that is identified as suspicious.
Unexpected command on connection start
An unexpected command was used at the connection start. Any new command on connection start that is seen after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique command on connection start that is identified as suspicious.
Unexpected error on connection start
An unexpected error occurred at the connection start. Any new error on connection start that is seen after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique error on connection start that is identified as suspicious.
Unexpected client time zone
Any client connection from a new time zone that is seen after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique client time zone that is identified as suspicious.
Unexpected authentication type
Client connected by using an unexpected authentication type. Any new authentication type for this client that is seen after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each unique authentication type that is identified as suspicious.
Unexpected authentication type for this DB type
Unexpected authentication type used for this database. Any new authentication type for this database type that is seen after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each new unique authentication type for this DB type that is identified as suspicious.
Unexpected client OS name
A new OS client connected to a server. Any unknown client OS name that is encountered after Guardium detects a sufficient number of connections is considered suspicious.
This rule generates exception messages in the Connection Exceptions report for each new unique Client OS name that is identified as suspicious.
Server encounter first time in the audit
An unknown S-TAP is found for this server IP address. The first time a previously unseen server connects is considered an anomaly.
This rule generates exception messages in the Connection Exceptions report each time that a new server is identified. In addition, this rule sets the TRUST LEVEL score to 0.7 in the Session report.