Identify anomalies based on what you know
This is easy, you need to know what you know to know what you don't know. DNIF is quick and agile, it is therefore able to build a knowledge profile of what you know and identify situation that you have never seen before.
- DNIF can fire up a profiler in seconds, which is unique to this industry
- Profilers could be aggregated or can use a machine learning model
- Models used here could be single or multi-dimensional
Run profilers on any parameter, factual or functional
Speed of query execution is the game changer in implementing concepts like Machine Learning and multi-dimensional / time based aggregation. Now you can execute long duration queries over past data to quickly learn and profile user / entity / parameter behavior.
- Profiles could use single dimensional data like usernames, domain names, URLs
- Models could use time based functions like hits per min or total data transferred every hour
- Functional parameters like compacted keys, slugs can also be a part of a profile
Update primary models as required
Models need to keep learning to stay in the current realm and be accurate, you could choose to update your models periodically by plugging it into a workbook or you could fire them up at will. You could also make them learn on the go using incremental updates.
- Use incremental updates in cases where your models operate in a dynamic environment
- Update models in batches in cases where you work with historical profiles
Related Use Cases
- Devices not reporting events over a period of time can now be re-imagined using individual thresholds for each device, this reduces corner cases and the need to white-list scores of devices that don't match the criteria
- Privileged user access on critical devices can now be profiled to identify suspicious access patterns
- Database access can be monitored to identify outliers in user queries or functions that the system has never seen before