Outliers detection clustering
User clustering divides the system's users into clusters based on their activity. During the outliers scoring process, outliers detection compares the activity of the users in a group. Analyzing groups of users increases the accuracy of the results, and decreases the number of false positives.
When a user's activity is unusually high, or has many errors, Guardium compares its activity with its cluster’s activity and changes the user scores, as relevant.
The clustering algorithm runs periodically, moving users into a different cluster group as relevant. The outlier log /opt/IBM/Guardium/analytic/outlier_out/outlier.log details changes in the outliers scoring process. (The userClustering.log, also in this folder, is used by support only.)
- clusteringScheduleIntervals: The frequency, in hours, at which the clustering algorithm runs.
- minNumIntervalsForFirstClustering: the number of periods, in hours, until the initial clustering of users.