About 20 years ago, Internet Security was introduced to the world by opening and connecting personal, business, education, government and other computing devices from across the world in a global, single network. This act created new and multiple attack vectors that enabled Internet and/or Cyber criminals to intrude upon online assets and to penetrate corporate infrastructure and illegally obtain corporate and personal assets.
In recent years there have been multiple public incidents of big security breaches in which corporate and personal data was stolen, and the damage was substantial. A cyber-attack may include two stages: a) obtaining corporate credentials, either by attacking the corporate, by stealing from personal equipment, or just by paying an internal employee to perform tasks for the use and/or benefit of an attacker, and b) using the obtained credentials to perform the crime, steal corporate confidential files, extract end-customers personal and financial data, embed illegal software, monitor internal activities and report externally and more.
Numerous approaches and technologies for combating the internet security problem were developed, e.g., network based gateways were developed to prevent malware from penetrating the organization, and malware identifications products. This approach is still the main portion of all security technologies and is somewhat successful. In parallel, hardware and software developers invested to increase the underlying security assurances of computation platforms and applications, making software more secure by design.
Security Information Management Systems (SIEM), e.g., IBM® Security QRadar® SIEM, McAfee Enterprise Security Manager, HP ArcSight ESM SIEM, RSA Security Analytics, Splunk® Log Management, target collection of logs of almost every activity in an organization, correlation of these logs, and provide an analytics layer based on predetermined rules, customer-developed rules, integrations with other security systems, security incident investigation tools, etc.
In the last few years, ‘cyber security’ breaches became more prevalent, by attackers acquiring valid corporate credentials. A cyber-attack can be achieved either by social engineering, by simply paying for the credentials, by paying someone who has corporate credentials to serve the attacker's needs. Corporates started protecting against attacks performed by using obtained credentials internally, by targeting to harvest all log files that are collected at the corporate level, and instead of employing static rule-based technologies, employing anomaly detection algorithms based on machine-learning, data-mining, artificial-intelligence and similar. These anomaly detection algorithms are based on identifying a misuse of valid corporate credentials by identifying deviations of normal behaviors of the valid owners of the credentials. If the attacker, or the valid user in the name of the attacker, is performing harmful operations, these can be identified by detecting a deviation from the normal operation patterns of that user.
Most user-behavior analysis solutions have a common flow. The logs that contain events or occasions, which include a name and an associated value, are obtained from log repositories and are manipulated to create a more uniform and correlated layer of events with additional contextual data that is added to parameters of the events.
However, due to the large variance between people, the present rule-based user-behavior analysis solutions provide an unmanageable amount of suspected anomalies. For example, in a corporate of 1000 employees, a user behavior analysis system may provide thousands of daily alerts of suspicious events detected in the logs. The amount of data cannot be handled by a security expert who is required to check each suspicious event. Thus, a more efficient solution is required, which will provide manageable results and will alert selected suspicious events that are not necessarily rule-based.