User Behavior Analysis
On This Page:
Objective
This document provides instructions on how to enable User Behavior Analysis (UBA) using the Volterra Artificial Intelligence (AI) and Machine Learning (ML) features. The user behavior analysis covers the following:
-
Clear suspicious behavior - This is based on security events such as the following:
- WAF security events generated by a user
- Login failures
- L7 policy denies
- IP/ASN reputation score
-
Anomalous behavior - The behavior is determined based on the entities such as the following:
- Request rate
- Error rate
- API method entropy for methods such as GET, POST, PUT, etc.
- API endpoint entropy
- API endpoint sequence
Note: The user in this context is mapped by the requesting IP address.
Using the instructions provided in this document, you can enable the user behavior for your application and monitor the related anomalies and events in the load balancer monitoring.
Prerequisites
-
Note: If you do not have an account, see Create a Volterra Account.
-
One or more applications deployed on Volterra site and services configured.
Note: See App Management for more information. See Site Management for site creation instructions.
Configuration
Configuration Sequence
The following table presents the sequence of activities in enabling the UBA:
Activity | Description |
---|---|
Create App Type | Create app type and configure the user behavior analysis features. |
Create App Settings | Create the app settings object and associate with the app type. |
Monitor User Behavior | Monitor the load balancer to check for anomalies detected and reported for user behavior. |
Create App Type
To enable user behavior analysis for your application services, it is required to first enable it for those services using the app type object.
The app type object is created in the shared
namespace. The load balancers of that app type in different namespaces need to be assigned with the label of the app type object.
Perform the following to create app type and enable generating the user behavior model.
Step 1: Log into the VoltConsole and navigate to app type configuration.
Change to the Shared
namespace and select Security
from the configuration menu and AI & ML
-> App Types
from the options. Click Add app type
to start app type creation.
Step 2: Configure app type object settings.
Enter the configuration in the app type object creation form as per the following guidelines:
- Enter a name for the app type. This is the value for the app type label to be assigned to the load balancers for which the UBA needs to be enabled.
- Click
Add item
in theApplication Type Features
section and selectUser Behavior Analysis
for theAI/ML Feature Type
field. - Optionally, select
Enable learning from redirect traffic
for theLearn from Traffic with Redirect Response
field in theBusiness Logic Markup Setting
field. - Click
Save and Exit
to complete creating the app type object.
Assign App Type Label to Load Balancers
After creating the app type, it is required to assign the app type label to the load balancers for which you want to enable UBA detection.
Note: Enabling UBA detection for all load balancers in a namespace requires you to apply the app type label to all load balancers in that namespace.
Perform the following to assign the app type label to your load balancers.
Step 1: Log into the VoltConsole and navigate to load balancer management.
Change to your application namespace and select Manage
-> Load Balancers
from the configuration menu and HTTP Load Balancers
from the options. Click ...
-> Edit
for the load balancer for which the app type label needs to be assigned.
Step 2: Assign the app type label.
- Select
ves.io/app_type
for theLabels
field and type.
- Type the name of the app type object created in the previous step and click
Assign Custom Value
to add the app type label.
- Click
Save and Exit
to apply the label to the load balancer.
Note: The Volterra AI model learns from all namespaces where the load balancers or vK8s services are applied with the app type label. You can turn off learning from specific namespaces using the app settings object.
Create App Settings
After creating an app type with the UBA feature enabled, it is required to associate it with the metrics and sources for which the user behavior analysis is required. This is done by configuring the app settings object.
Perform the following to create the app settings object:
Step 1: Navigate to app settings configuration and start app setting object creation.
Change to the namespace where your application deployment is created and load balancers are configured. Select Security
from the configuration menu and App Settings
from the options under the AI & ML
field. Click Add App Setting
to start app setting creation.
Step 2: Enter basic configuration for the app setting object.
- Enter a name for the app setting.
- Navigate to
Application Type Feature Configuration
section and clickSelect app type ref
in theAppType
field. Select the app type object created and clickSelect app type ref
to add the app type to the configuration.
Note: Optionally, click
Configure
for theUser Behavior Analysis Setting
field and selectDisable learning from this namespace
option for the displayed fields. With this, the Volterra AI engine does not include data from this namespace for user behavior analysis.
Step 3: Complete creating app settings object.
Click Save and Exit
to complete creation of app settings object.
Monitor User Behavior
You can monitor the user behavior for anomalies and also inspect alerts using the HTTP load balancer monitoring.
Perform the following to monitor user behavior:
Step 1: Log into the VoltConsole and navigate to the load balancer monitoring.
Change to your application namespace and select Virtual Hosts
from the configuration menu and HTTP Load Balancers
from the options. Click on your load balancer from the displayed list to load its monitoring view. load balancer dashboard is loaded by default.
Step 2: Load the app firewall view.
The load balancer dashboard is loaded by default. Click App Firewall
tab to inspect the firewall events page. The Suspicious Users
section provides details for anomalous or suspicious users. The details include IP address, location, suspicion score, etc.
Note: You can also inspect the
Security Events
page andAlerts
page to monitor the user behavior. The security events page also providesMalicious Users Events
tab to filter the display to malicious user related security events.