Outliers

When the feature flags are enabled, Guardium Insights uses Outliers to automatically identify abnormal server and user behavior, providing early detection of possible attacks.

The Outliers feature looks for anomalies on the database and database user level. It studies normal behavior of a database over a certain period and builds a statistical model based on these observations. It then flags outliers of this model to identify potential risks, such as a certain user who normally works a regular 9-5 workday but one day logs in during the weekend.

An outlier is defined as a statistically abnormal behavior that is donethat is by either a database or a particular user on a database. And that occurs in a particular time period that is outside of the “normal” time frame. Or, something done outside the scope of the particular database or user's usual activity. Outliers can indicate a security violation that is taking place, even if the activities themselves do not directly violate an existing security policy.

For example, if the Outliers engine alerts you to a high volume of failed log-ins or exceptions, these alerts can indicate brute force attacks or SQL injections. Perhaps from a disgruntled employee or hacked user account that is making bad changes or extracting much data.

In other words, the Outliers feature can be a valuable tool in identifying danger in actions that are not inherently dangerous independently, that standard safeguards might overlook.

User activity that is identified as a suspected outlier includes:

When a user accesses a table for the first time.
When a user selects specific data in a table that they never selected before.
Exceptional volume of errors. For example, an application generates more SQL errors than it has in the past. This volume might indicate that an SQL injection attack is in progress.
Activity that itself is unexceptional, but its volume is unusual.
Activity that itself is unexceptional, but the time of activity is unusual. For example, a DBA is accessing a particular table more frequently than in the past. This frequency might indicate that the DBA is slowly downloading small amounts of data over time.

Database activity that is identified as a suspected outlier includes:

Exceptional volume of errors
Activity that itself is unexceptional, but its volume is unusual.
Activity that itself is unexceptional, but the time of activity is unusual.

The Outliers engine identifies the following five elements as indicators for potential Outliers, and scans for these elements every hour:

Verbs: Actions that can indicate suspicious intent.
Objects: Objects on which the actions were run.
Verbs + Objects: For example, when a user makes certain selections in a certain table.
Application: The source program used to connect. For example, a user who usually connects from MySQL connected from a different client.

Connection: The client IP

When the Outliers engine finds outliers among these elements, it categorizes them into one of the following six types:

High volume of activities: A high volume of activities far past the norm that the statistical model observed for user and database behavior.
Exceptions: A high volume of exceptions, or error types.
New: A high volume of new activity.

Vulnerable activities: A high volume of activity on object groups that Guardium considers vulnerable(You can configure what is considered vulnerable in settings).
Diverse activities: A high volume of activities diverse activities. To clarify, it is the high diversity of, rather than a high volume of the activities that characterizes this Outliers type.
Ongoing: Each outlier is assigned an hourly score. If a particular Outlier scores close to the threshold for a few hours straight, but doesn't quite pass the threshold, this outlier is of an Ongoing type.

Each hour, if the Outliers engine indeed found outliers, the Outliers feature displays a new report in the summary reports page with a list of which Outliers types were found. Each row that lists an Outliers type in the summary report might be tied to many rows of Outliers details. These details are displayed separately in the details report.

The outliers that are identified by the Outliers engine and displayed in the reports page as output also serves as input for the Risk Events feature. In Risk Events, you can decide whether to merely view the input in a drill-down in the Reports page, or take further action in the Risk Events UI.

The table displays some examples of use cases that might display in the reports or Risk Events, each anchored to one of the Outliers types. Refer to the use case table to understand the kinds of risks the Outliers that are listed in your summary and details reports might indicate.

Use case	Outliers type	Details
Excessive data extraction	High volume	Verb= select
Excessive data modification (dml)	High volume	Verb= insert or update
Access from a new connection	New	Source program (new application) New OS user New client IP
Excessive activity from a connection	High volume	Source program (new app) OS user Client IP
Abnormal number of errors	Error	Verb= activity that caused the error.
Abnormal type of SQL operation	New	Any verb the SQL did not engage in before and now did run
Abnormal working hours	High volume, New, Diverse	Verb
Excessive privileges granted by a user	High volume	Verb= grant
Schema tampering	High volume, New	Verb= drop of schema elements (function, package, table, view, and others)
High number of different (unique) activity types	Diverse	Verb

Outliers data comes from either Guardium® Data Protection, Guardium Insights, or both. You can read about your options for data streams in the Feature flag topic.