D3-RAPA

Detect
Resource Access Pattern Analysis

Definition

Analyzing the resources accessed by a user to identify unauthorized activity.

How it works

This technique analyzes a user's resource accesses by comparing the user's recent activity against a baseline activity model. Major differences between the current activity and the baseline model might indicate unauthorized activity if they are severe enough.

Considerations

Potential for false positives from anomalies that are not associated with malicious activity.

Attackers that move low and slow may not differentiate their resource access activity behavior enough to trigger an alert.

References

Reference - Host intrusion prevention system using software and user behavior analysis - Sophos Ltd Reference - Method and Apparatus for Network Fraud Detection and Remediation Through Analytics - Idaptive LLC Reference - Modeling user access to computer resources - Daedalus Group LLC (formerly IBM) Reference - System, method, and computer program product for detecting and assessing security risks in a network - Exabeam Inc Reference - System and method thereof for identifying and responding to security incidents based on preemptive forensics - Palo Alto Networks Inc