Authentication anomaly detection: a case study on a virtual private network

Authors: 
Michael J. Chapple, Nitesh V. Chawla, Aaron Striegel
Citation: 
Chapple, Michael J., Nitesh Chawla, and Aaron Striegel. "Authentication anomaly detection: A case study on a virtual private network." Proceedings of the 3rd annual ACM workshop on Mining network data. ACM, 2007.
Publication Date: 
June, 2007

The authentication logs on a network can provide a trove of information for discovering potential anomalies in login attempts. Using such logs collected by a production Virtual Private Network device over a period of 15 months, we generate a diurnal model of network accesses. These models are used to detect anomalous authentications, which merit further investigation by a security analyst. We intend that this work will dramatically reduce the amount time spent by analysts identifying anomalous events and allow them to focus on in-depth analysis of these anomalies. Our work makes two contributions: a novel approach of mining authentication data, and the use of geographic distance as a metric to evaluate Virtual Private Network connections. We demonstrate the success of our model using real-world case analysis.