The present disclosure relates to an automated mechanism to obtain detailed forensic analysis of file access, and more specifically, to automatically obtaining detailed information related to file accesses to determine file access patterns and detect abnormal file access patterns.
Generally people and organizations rely on multiple software applications. Each user generally has a set of permissions which specifies what files or data the user may be able to access. These permissions may be file specific, allowing the user to access each file in a certain way, such as read only, read and write, or otherwise access the file. Often, a set of permissions are configured per user for sets of files, for example at a directory level. In such cases, a user may have a certain level of access to one set of files in a particular directory, such as their personal directory, and another level of access to another directory, such as a network share.
Users typically use multiple applications, which may be stored in a common storage partition. These applications may be configured, for example either by automatically during setup or by an administrator, with generous permissions levels, creating a security risk. Generally there is very little or no detailed knowledge by application administrators of how users may access specific files. Rather, administrators generally configure permissions by, for example, directory levels, or broadly for sets of users. However, configuring permissions using broad settings can present an unnecessary security risk as excessive permissions may allow for an attacker to more easily access and exfiltrate data. What is needed is a mechanism by which to automatically determine typical file access patterns and detect abnormal file access attempts.