Outliers detection clustering

User clustering divides the system's users into clusters based on their activity. During the outliers scoring process, outliers detection compares the activity of the users in a group. Analyzing groups of users increases the accuracy of the results, and decreases the number of false positives.

When a user's activity is unusually high, or has many errors, Guardium compares its activity with its cluster’s activity and changes the user scores, as relevant.

The clustering algorithm runs periodically, moving users into a different cluster group as relevant. The outlier log /opt/IBM/Guardium/analytic/outlier_out/outlier.log details changes in the outliers scoring process. (The userClustering.log, also in this folder, is used by support only.)

User clustering is enabled by default. It's recommended to leave the configuration at its default. The configuration is controlled with the API command set_outliers_detection_parameter parameters.
  • clusteringScheduleIntervals: The frequency, in hours, at which the clustering algorithm runs.
  • minNumIntervalsForFirstClustering: the number of periods, in hours, until the initial clustering of users.
To disable the user clustering, set both of these parameters = 0.