IBM Support

Set up a Guardium Appliance for Outliers Detection

Question & Answer


Question

The Outlier Detection algorithm uses real data that is being collected normally and audited by Policy rules - It geneates an anomalies score based on past data and identifies specific dasy which have irregular activity. It studies data continously over a preset training period and builds models against previous activities or similar group users. These models show what is normal and what is not.

Answer


Before you set up Outlier Detection, there are 2 important topics as described in the Use Guardium outlier detection to detect hidden threats DeveloperWorks article you should read:

    • How outlier detection works
    • Training phase

Below shows the result of outlier analysis displayed in Quick Search UI taken from the DeveloperWorks article. It shows user activity and two colored indicators, High Outlier and Medum Outlier. The Red indicators points you at what time on a specific day highly anomalous events occurred and requires immediate investigation. The Yellow indicators show you less critical anomalies than the red indicator but still warrant attention. The anomaly score is a calculated aggregate value based on past data.

Outliers tab is clicked and include the details described in this section of the text.



To set up a Guardium Appliance for Outliers Detection, follow the below steps:

Step 1: Prerequisites for Outlier

    1. Recommend v9.5 GPU530 for using outliers

    2. Quick search is enabled by default on 64bit appliance with system requirements meeting the minimum listed below:

    System Requirements for IBM InfoSphere Guardium v9.5




    3. Quick search opens ports 8983 and 9983 on both central managers and collectors. These ports are opened when quick search is enabled and closed when it is disabled. Ensure the ports are not blocked by any firewall and they allow bidirectional communicated between central managers and collectors.

    ** Note:. If data is not being audited already by a Guardium security policy, it is not available for Guardium to analyze.


Step 2: Enable Quick Search

    In CLI, run below grdapi command:

    grdapi enable_quick_search schedule_interval=2 schedule_units=MINUTE

    By defaults, violation is not included in the search. To include, add " includeViolations=true " at the end of above command.

    To know if quick search is enabled, in cli run: grdapi get_quick_search_info

    To disable quick search, in cli run: grdapi disable_quick_search

Step 3: Enable Outliers Detection

    Log in to the collector as a user or administrator with the CLI role. Use the following GuardAPI command to enable the Outliers Detection function.

    grdapi enable_outliers_detection schedule_interval=1 schedule_units=HOUR

    Outliers will start extracting into the data mart on the current date every hour.


    Once outliers is enabled, it will automatically accumulate data over the next 30 days. This is called the training period. When this training period is over, the analysis continues to run and adjust the statistical model for what is normal and what is irregular (known as outliers).

    To know the factory and default settings, you may run grdapi get_outliers_detection_info. It returns factory and current settings and a list of parameters. In cli run:

      grdapi get_outliers_detection_info

         The last training process start time: 20151115050606 end time:  20151115050607 status: Done
               ...

               Current
               -----------------
              alertRarityThreshold=0.98
              alertThreshold=0.99
              alertVolumeThreshold=0.9998
              cleanupKeepDays=90
              intervalThreshold=0.999
              minNumOfIntervalsForAlerts=100
              minimalRequiredTrainPeriod=1
              privUsersGroupIds=1
              sensitiveObjectGroupIds=5

               ok

    To set minimal training period, in cli run:
      grdapi set_outliers_detection_parameter parameter_name=minimalRequiredTrainPeriod parameter_value=<N in days>

    To disable outliers, in cli run:
      grdapi disable_outliers_detection

    Please note: R&D has advised against making changes to minimalRequredTrainPeriod.


Summary of quick search and outliers command available::
    grdapi disable_quick_search
    grdapi enable_quick_search
    grdapi get_quick_search_info
    grdapi refresh_quick_search_groups

    grdapi disable_outliers_detection
    grdapi enable_outliers_detection
    grdapi get_outliers_detection_info
    grdapi set_outliers_detection_parameter


Related Topics:

[{"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Guardium Database Activity Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"10.0;10.0.1;10.1;8.2;9.0;9.1;9.5","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21971432

Page Feedback