AI sessions processing

Fudo Enterprise is able to detect changes in user behavior and determine if user credentials have been compromised. It can also alert system administrator if there is an unusually high number of connections or a particular session is longer than expected.


Content models

Content models process and analyze RDP and SSH sessions in order to build behavioral user profiles. Based on these, Fudo Enterprise can detect even the slightest change in user behavior and help prevent a security breach.


RDP content model

The RDP model is based on mouse cursor movements.

The following requirements must be met in order to produce an RDP model:

Minimum:

  • 5 hours of sessions recordings per predictor,
  • 5 unique predictors (e.g. users).

Optimal:

  • 30 hours of sessions recordings,
  • 10 unique predictors.

Note

RDP model’s quality depends on the consistency of how the user interacts with the monitored system. If the user has used different operating systems and input devices (e.g. different mice, a trackpad or a trackball) the resulting model will not be very effective as it will have a higher tolerance for a variety of behaviors.


SSH content model

The SSH content model is based on the keyboard input (commands).

The following requirements must be met in order to produce an SSH model:

Minimum:

  • 65 sessions recorded (25 unique commands minimum),
  • 5 unique predictors (e.g. users).

Optimal:

  • 300 sessions recorded per predictor,
  • 10 unique predictors (e.g. users).

Session scoring

Fudo Enterprise analyzes sessions in real-time and produces threat level scores (OK, LOW, HIGH) depending on how the user fares against the trained model.

Note

Sessions are processed in chunks containing a specific number of events. Processing is done in real-time as long as there are workers available. When there are no workers available, ongoing sessions’ parts are not analyzed.

Models are calibrated individually and session scores are presented on the session list.

Icon Description
. Session under analysis, initial result - no threat.
. Session under analysis, initial result - medium threat level.
. Session under analysis, initial result - high threat level.
. Session awaiting analysis or being initially processed.
. Session not analyzed due to missing a trained model.
. Session processed - no risk.
. Session processed - medium threat level.
. Session processed - high threat level.
. Session processed - no result.

Note

When it comes to building user models, data quality is essential. If users shared login credentials, the resulting model will be less likely to detect the variance in user behavior.

../../_images/ncbr-en-sessions-circles.png

Threat level popup contains information about individual Threat Probability for each model that assessed the session. Threat probability is a percentage-wise value that reflects a threat level of the session. The logic behind the different color icons is the following:


The icon color is . when Threat Probability is below 50%.

The . icon is reflected when Threat Probability is above 50% but the underlying statistics of a model indicate that it could cause a False Positive Rate over 5%. In such case a higher, individual for each User and ML Model pair percentage threshold is derived while training to obtain most optimal results.

The icon is . when Threat Probability is above 50% and False Positive Rate would be lower than 5%. If the False Positive Rate requirement can’t be met a higher threshold is used as described above which the red circle is eventually used.

../../_images/sessions-threat-level-graph.png

The Session threat probability graph displays threat probability scores for specific periods of the session time (called segments), based on AI models prediction. A segment is a group of user’s actions, which the AI model uses for individual prediction.

Note

A session should be long enough for running prediction algorithms. Minimum duration of the session for launching the AI model analysis is 3 segments (around 1 minute).

The graph also contains a link to the specific period of the session (segment) in the player which allows the administrator to check the session in real time and react accordingly. The administrator is also able to analyze the results, delivered by the AI training models and take actions for the future sessions by adjusting settings. For example, by adding a policy to be notified when a certain threat probability threshold is reached.

Note

The upgrading process to the Fudo Enterprise 5.3 removes session scores that were calculated for the sessions before the upgrade and introduces a new calculating algorithm. For the sessions before the upgrade detailed data is not available.


Quantitive models

Fudo keeps track of the number of sessions as well as their length. It can alert system administrator if there’s an unusually high number of connections or a particular session is suspiciously long.

It does so by learning typical values for each user, account and server and making predictions for every hour and weekday.


Related topics: