User Behavior Analysis

Objective

This document provides instructions on how to enable User Behavior Analysis (UBA) using the Volterra Artificial Intelligence (AI) and Machine Learning (ML) features. The user behavior analysis covers the following:

  • Clear suspicious behavior - This is based on security events such as the following:

    • WAF security events generated by a user
    • Login failures
    • L7 policy denies
    • IP/ASN reputation score
  • Anomalous behavior - The behavior is determined based on the entities such as the following:

    • Request rate
    • Error rate
    • API method entropy for methods such as GET, POST, PUT, etc.
    • API endpoint entropy
    • API endpoint sequence

Note: The user in this context is mapped by the requesting IP address.

Using the instructions provided in this document, you can enable the user behavior for your application and monitor the related anomalies and events in the load balancer monitoring.


Prerequisites


Configuration

Configuration Sequence

The following table presents the sequence of activities in enabling the UBA:

Activity Description
Create App Type Create app type and configure the user behavior analysis features.
Create App Settings Create the app settings object and associate with the app type.
Monitor User Behavior Monitor the load balancer to check for anomalies detected and reported for user behavior.

Create App Type

To enable user behavior analysis for your application services, it is required to first enable it for those services using the app type object.

The app type object is created in the shared namespace. The load balancers of that app type in different namespaces need to be assigned with the label of the app type object.

Perform the following to create app type and enable generating the user behavior model.

Step 1: Log into the VoltConsole and navigate to app type configuration.

Change to the Shared namespace and select Security from the configuration menu and AI & ML -> App Types from the options. Click Add app type to start app type creation.

nav atype new
Figure: Navigate to App Type Configuration

Step 2: Configure app type object settings.

Enter the configuration in the app type object creation form as per the following guidelines:

  • Enter a name for the app type. This is the value for the app type label to be assigned to the load balancers for which the UBA needs to be enabled.
  • Click Add item in the Application Type Features section and select User Behavior Analysis for the AI/ML Feature Type field.
  • Optionally, select Enable learning from redirect traffic for the Learn from Traffic with Redirect Response field in the Business Logic Markup Setting field.
  • Click Save and Exit to complete creating the app type object.

apptype cnf new
Figure: App Type Feature Configuration


Assign App Type Label to Load Balancers

After creating the app type, it is required to assign the app type label to the load balancers for which you want to enable UBA detection.

Note: Enabling UBA detection for all load balancers in a namespace requires you to apply the app type label to all load balancers in that namespace.

Perform the following to assign the app type label to your load balancers.

Step 1: Log into the VoltConsole and navigate to load balancer management.

Change to your application namespace and select Manage -> Load Balancers from the configuration menu and HTTP Load Balancers from the options. Click ... -> Edit for the load balancer for which the app type label needs to be assigned.

lb edit
Figure: Navigate to load balancer Edit Configuration

Step 2: Assign the app type label.
  • Select ves.io/app_type for the Labels field and type.

at label new
Figure: App Type Label Selection

  • Type the name of the app type object created in the previous step and click Assign Custom Value to add the app type label.

label value new
Figure: App Type Label Addition

  • Click Save and Exit to apply the label to the load balancer.

Note: The Volterra AI model learns from all namespaces where the load balancers or vK8s services are applied with the app type label. You can turn off learning from specific namespaces using the app settings object.


Create App Settings

After creating an app type with the UBA feature enabled, it is required to associate it with the metrics and sources for which the user behavior analysis is required. This is done by configuring the app settings object.

Perform the following to create the app settings object:

Step 1: Navigate to app settings configuration and start app setting object creation.

Change to the namespace where your application deployment is created and load balancers are configured. Select Security from the configuration menu and App Settings from the options under the AI & ML field. Click Add App Setting to start app setting creation.

nav asetting new
Figure: Navigate to App Setting Configuration

Step 2: Enter basic configuration for the app setting object.
  • Enter a name for the app setting.
  • Navigate to Application Type Feature Configuration section and click Select app type ref in the AppType field. Select the app type object created and click Select app type ref to add the app type to the configuration.

app setting basic
Figure: App Setting Basic Configuration

Note: Optionally, click Configure for the User Behavior Analysis Setting field and select Disable learning from this namespace option for the displayed fields. With this, the Volterra AI engine does not include data from this namespace for user behavior analysis.

Step 3: Complete creating app settings object.

Click Save and Exit to complete creation of app settings object.


Monitor User Behavior

You can monitor the user behavior for anomalies and also inspect alerts using the HTTP load balancer monitoring.

Perform the following to monitor user behavior:

Step 1: Log into the VoltConsole and navigate to the load balancer monitoring.

Change to your application namespace and select Virtual Hosts from the configuration menu and HTTP Load Balancers from the options. Click on your load balancer from the displayed list to load its monitoring view. load balancer dashboard is loaded by default.

Step 2: Load the app firewall view.

The load balancer dashboard is loaded by default. Click App Firewall tab to inspect the firewall events page. The Suspicious Users section provides details for anomalous or suspicious users. The details include IP address, location, suspicion score, etc.

lb susp users
Figure: User Analysis View for Suspicious Users

Note: You can also inspect the Security Events page and Alerts page to monitor the user behavior. The security events page also provides Malicious Users Events tab to filter the display to malicious user related security events.


Concepts


API References