Outliers

Guardium Insights uses Outliers to automatically identify abnormal server and user behavior, providing early detection of possible attacks.

The Outliers feature looks for anomalies in activity on a database or by a database user. It studies this activity over a certain period and builds a statistical model based on these observations. It then flags deviations in the statistical model to identify potential risks. These deviations are called outliers. They are based on the abnormality in the type of activity that is done, the time of the activity, the source of the activity, or a combination. For example, an outlier can be a user that usually queries the database 10 times a day and one day queries the database 1000 times instead.

In these examples or any others, it is the deviation of the activity that creates outliers. This way, the Outliers feature can indicate a security violation that is taking place, even if the activities themselves do not directly violate an existing security policy. Therefore, it can be a valuable tool in identifying danger in actions that are not inherently dangerous independently, that standard safeguards might overlook.

For example, if the Outliers engine alerts you to a high volume of failed logins or exceptions, these alerts can indicate brute force attacks or SQL injections. Perhaps from a disgruntled employee or hacked user account that is making bad changes or extracting much data.

Keep in mind that not all outliers flagged by the Outliers engine indicate a potential attack. Some abnormal activities are benign, but the Outliers engine flags them nevertheless. Such as when a user or application is doing maintenance work.

The statistical model that the Outliers is based on first takes an initial learning period to build itself. The default duration for that initial learning period is 7 days but it can be adjusted in settings. After the learning period is over, the statistical model does an iteration of calculations every hour, and continuously updates itself based on these hourly calculations.

Examples of user activities that can be detected as outliers include:

  • When a user accesses a table for the first time.
  • When a user selects specific data in a table that they never selected before.
  • An exceptional volume of errors. For example, an application generates more SQL errors than it has in the past. This volume might indicate that an SQL injection attack is in progress.
  • Activity that itself is unexceptional, but its volume is unusual.
  • Activity that itself is unexceptional, but the time of activity is unusual. For example, a DBA is accessing a particular table more frequently than in the past. This frequency might indicate that the DBA is slowly downloading small amounts of data over time.

Example of database activities that can be detected as Outliers include:

  • Exceptional volume of errors
  • Activity that itself is unexceptional, but its volume is unusual.
  • Activity that itself is unexceptional, but the time of activity is unusual.
The Outliers engine identifies the following five elements, per user and database, as indicators for potential outliers. It scans for these elements every hour:
Verbs (commands)
Actions that can indicate suspicious intent.
Objects
Objects on which the actions were run.
Verbs + Objects
For example, when a user makes certain selections in a certain table.
Application
The source program used to connect. For example, a user who usually connects from MySQL connected from a different client.
Connection
The client IP

When the Outliers engine finds outliers among those elements, it categorizes them into one or more of the following six outliers types:

High volume of activities
A high volume of activities far past the norm that the statistical model observed for user and database behavior.
Exceptions
A high volume of exceptions, or error types.
New
A high volume of new activity.
Vulnerable activities
A high volume of activity on object groups that Guardium considers vulnerable(You can configure what is considered vulnerable in settings).
Diverse activities
A high volume of diverse activities. To clarify, it is the high diversity of the activities, rather than the high volume of the activities, that characterizes this outliers type.
Ongoing
Each outlier is assigned an hourly score. If a particular outlier score is close to the threshold for a few hours straight, but doesn't quite pass the threshold, this outlier is of an ongoing type. This outlier type exists to detect activity that tries to hide under the radar.

Each hour, if the Outliers engine indeed found outliers, the Outliers feature displays a list of the Outliers types that it found in the Outlier summary report. Each row that lists an outliers type in the summary report is tied to one or many rows in the Outliers details report. Use the Outliers details report to drill down to the details of the suspicious activities listed in the Outliers summary report.

The Outliers that are identified and displayed in the reports page also serve as input for the Risk Events feature. In Risk Events, you can decide whether to merely view the input in a drill-down in the Reports page, or take further action in the Risk Events UI.

The following table displays some examples of use cases that might display in the reports or Risk Events, each anchored to one of the Outliers types. Refer to the use case table to understand the kinds of risks that the Outliers that are listed in your summary and details reports might indicate.

Use case Outliers type Details
Excessive data extraction High volume Verb= select
Excessive data modification (dml) High volume Verb= insert or update
Access from a new connection

New

Source program (new application)

New OS user

New client IP

Excessive activity from a connection High volume

Source program (new app)

OS user

Client IP

Abnormal number of errors Error Verb= activity that caused the error.
Abnormal type of SQL operation New Any verb the SQL did not engage in before and now did run
Abnormal working hours High volume, New, Diverse Verb
Excessive privileges granted by a user High volume Verb= grant
Schema tampering High volume, New Verb= drop of schema elements (function, package, table, view, and others)
High number of different (unique) activity types Diverse Verb

Outliers data comes from either GuardiumĀ® Data Protection, Guardium Insights, or both. You can read about your options for data Streams in the Feature flag topic.