Artificial Intelligence¶
Fudo Enterprise allows configuring model trainers and behavioral analysis models with custom settings so that it precisely analyses your users’ behavior, detects unusual actions and marks sessions as suspicious so that you can quickly react.
Fudo Enterprise’s AI module is a multicomponent system that needs to be set first to properly work and deliver the best results. There are 3 things to do to use AI module as effective as possible:
- Configure model trainers, as described in the following section.
- Enable AI models so that they run the behavioral analysis based on selected protocols (SSH and/or RDP), and deliver individual statistics per model.
- Set session Policies so that AI module can detect specific user’s behavior during a session, react automatically, and send messages and SNMP TRAP notifications about the current situation.
When those steps are done, you can observe:
- amount of suspicious sessions for the given period of time on the Dashboard within the Suspicious sessions widget. The widget also provides an URL to the filtered Sessions list with Threat level: High criteria set.
- threat levels and Threat Probability of the ongoing sessions within a graph that can redirect to the suspicious session segment in the player.
Configuring models trainers¶
Training models requires processing power. Proper system configuration enables optimal processing of archived sessions while preserving overall system responsiveness in handling current user requests.
To change models trainers configuration, proceed as follows.
- Select > > .
- In the Model trainer section, in the Max number of training instances field, define the number of processes delegated to constructing user profiles.
Note
Default value is the optimal value based on available hardware resources. The actual number of processes cannot be higher than the number of available CPU cores.
- From the Active cluster node dropdown list, select the node responsible for training models.
- Select weekdays when the training will take place.
- Set the training start time.
- Define the timespan of the data which will be processed to create models.
- In the Quantitive model parameters section, in the Tolerance field, define allowed delta regarding the number of connections or the length of a single session.
Note
This parameter is used to calculate the threat risk which triggers the alert. Tolerance value is deducted from the current connections number or the number of minutes of elapsed session time. E.g. if the expected number of connections is 100, the current connection number is 109 and the tolerance value is set to 10, alarm will not be triggered as the calculated value (99) is less than the expected value.
- In the Report threshold field, define the allowed deviation from the expected results.
Note
Report threshold is defined in % and it determines the threshold value when the alert gets triggered on the account of too many sessions or a single connection lasting longer than expected. E.g. with the report threshold set to 1%, the alert will be triggered if the current number of connections has been observed before in 1% of cases.
- In the Session analysis section, in the Number of analyzing instances, define the number of processes delegated to session analysis.
- Select the threat level from the Score logging drop-down list to define what type of events will be registered within the system log.
Note
In case the pool of available data processing processes has been exhausted, online analysis is suspended. After the session is finished the data is picked up by the session analysis processes.
- Click .
Behavioral analysis models¶
Configuration parameters enable fine tuning behavioral models to match the specifics of your IT environment.
Note
As of Fudo Enterprise 5.3 release, the AI module has been modified.
Warning
- The upgrade script to the Fudo Enterprise 5.3 version or later disables all AI models and adds new models during the upgrading process. When the process is finished, all AI models need to be manually enabled in the > tab.
- If you have cluster configuration, it is required to update the active models on the master node first.
There are 3 AI models that Fudo Enterprise has for the training and prediction process. They are protocol-based, thus the models are focused on the activities that the protocols provide:
Mouse biometric Model (RDP) - AI prediction model based on mouse movements and clicks. It works by deriving a set of over 700 distinct features associated with the way a user operates a pointing device. Those features are used to train the model which is individually calibrated for each user to obtain the best possible predictive value whilst minimizing the False Positive Rate.
Keyboard biometric Model (RDP) - AI prediction model based on keyboard typing dynamics. It works by deriving a set of over a 100 unique features associated with the way a user types on the keyboard. Those features are used to train the model which is individually calibrated for each user to obtain the best possible predictive value whilst minimizing the False Positive Rate.
Semantic Behavioral Model (SSH) model is based on the keyboard input (commands). It works by identifying individual preferences of people to achieve the same results in different ways. For example one person prefers to use wget
over curl
and vim
over emacs
, another person might use a reset
command to clear the terminal while someone else might have a preference for using CTRL+L
combination. Those features are not static but learned from the training data. Additionally a set of over 600 features for different groups of characters is derived. Those features are combined with preferences and used to train the model which is individually calibrated for each user to obtain the best possible predictive value whilst minimizing the False Positive Rate.
For each AI model Fudo Enterprise shows training statistics, such as:
Time spent for the last building - duration of the last building.
Amount of session segments used - number of the session segments that were used for the last building.
Entities covered - how many users were participating in the last training session.
True Positive Rate (TPR), sometimes called Recall - is a percentage of malicious sessions properly flagged by the model as suspicious (the higher the better).
False Positive Rate (FPR) is the percentage of legitimate sessions inappropriately identified as malicious (the lower the better).
Area Under ROC curve (AUROC) is a single metric representing model quality (the higher the better).
Statistics of the TPR, FPR and AUROC values are visualized in the colored bar.
Note
Model statistics appear after the model’s first training and are updated after each of the performed training.
Related topics: