Differentiating User Authentication Graphs

Alexander D. Kent¹⁺, Lorie M. Liebrock², and James Wernicke¹

¹Los Alamos National Laboratory, Los Alamos, New Mexico, USA
 {alex, wernicke}@lanl.gov
²New Mexico Institute of Mining and Technology, Socorro, New Mexico, USA
 liebrock@nmt.edu

Abstract

Authentication using centralized methods is a primary trust mechanism within most large-scale, enterprise computer networks. Representing user authentication activity as a set of user-specific graphs over an enterprise network, we find that certain types of user behavior have distinguishable graph attributes. More specifically, we demonstrate significant distinction between system administrators and non-privileged users. We also explore the differentiation of other functional organization-based user categories. In addition, due to the operational value user authentication graphs have in reflecting user behavior, we discuss the development of a system for visually presenting the graphs. This system will enable exploration and validation of both appropriate and anomalous user behavior relevant to both intrusion and insider threat detection.

Keywords: Insider threat, network authentication, graph analysis

+: Corresponding author: Alexander D. Kent

PO Box 1663 MS B264, Los Alamos, New Mexico 87545, USA, Tel: +1-505-216-6191

Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA),

Vol. 5, No. 2, pp. 24-38, June 2014 [pdf]