UEBA (User and Entity Behavior Analytics) for when traditional Cyber Security can’t protect your network

Why does traditional cyber protection fail?

Starting from the early 2000s it became clear that classic cyber protection wasn’t enough anymore.

Traditional strategies are based on a signature approach where the security system is familiar with the behavior (signature) of the possible threats. The known signatures are stored in a database that is used by security systems for constant monitoring of the organizational behavior—network, storage, devices, users, etc. Therefore, the traditional approach could be described by the Latin motto praemonītus praemūnītus, i.e., “forewarned, forearmed.”

The number of threats is growing rapidly, making it very difficult to be “forewarned.” In the modern cyber battlefield, security operations centers (SOCs) face daily, new threats where signatures are not known. It’s unacceptable to sit back and wait until someone investigates the new threats and creates new signatures.

But that doesn’t mean that a signature-based approach isn’t valid anymore. After all, cyber protection is usually designed like an onion with several layers of defense. In this onion architecture, there is one missing layer—the layer that deals with new, unknown threats.

User Behavior Analytics

The trend named UBA (User Behavior Analytics) started with credit cards with the goal of detecting  anomalous behavior of cardholders. It used user behavior models for fraud detection, such as credit card usage in “strange” locations, suspicious purchases, etc.

UBA solutions look at patterns of human behavior, and then apply algorithms and statistical analysis to detect meaningful anomalies from those patterns—anomalies that indicate potential threats.

Cyber security extends the UBA to UEBA—User and Entity Behavior Analytics. Expanding the definition from UBA includes any entity participating in organizational digital space, such as devices, applications, servers, data, storage, file systems, etc. This means that UEBA engines monitor the behavior of entities, define the norm, and identify anomalies.

The following Gartner[1] chart summarizes the position of UEBA in the cyber security area:

UBA and Network Security

UEBA, like cyber security, has become a major focus in networking. It introduces another term, Network Behavior Anomaly Detection (NBAD). This is UEBA where ‘E’ (Entity) stands for Network Entities that are connected to same network, such as hosts, firewalls, gateways, servers, devices, or anything within an IP subnet.

A Bit of Architecture

The basic system flow of UBA / UEBA / NBAD systems consists of four stages:

  1. Data collection

Collect logs and packet/data captures from all possible/available sources: firewalls, antiviruses, syslog, event logs, tap and sniffing devices, Intrusion Detection and Prevention Systems, Network Management

  1. Data normalization and storage

Extract and ( 3.) store relevant information in a common and centralized manner

  1. Data analysis

Analyze the data to identify abnormal behavior by comparison with an expected one

  1. Report

Report/alert the abnormal behavior to IT and security experts

The following diagram represents the high-level architecture:

Keys to Success

While Behavior Analytics is a new and hot buzz-worthy catch phrase, there are already plenty of solutions provided by many companies. So, what are the main factors that make UBA solutions truly successful?

We identify four main factors that turn UBA solutions into invincible fighters against cyber threats:

Big Data

No doubt, logs are the main, and almost the only, input for Cyber Security Systems. This is even more true for behavior analytics. In UBA, there is no such a thing as too much information. Big Data platforms that allow the analysis of huge amounts of information are essential. It’s critical to shape the definition of normal behavior, but this requires special techniques.

Machine Learning

As one can see from the above diagram, the main component of UBA is the Analytics System, and in case of behavior analytics, such a system applies Machine Learning.

Machine learning algorithms take the data gathered and determine patterns to predict the probability that network activity is fraudulent.

Here’s a simple outline of the steps of behavioral analysis to detect fraud:

  1. The information (all possible logs, captures, profiles, so on) is gathered to form a template of the entity’s behavior and “train” the system.
  2. A behavioral pattern is determined and a set of thresholds is set to identify when behavior transitions from normal to fraudulent (these thresholds can be a probability percentage, for example, 95%).
  3. When an entity is encountered, the probability of the network being fraudulent is recalculated based on the new arrived information (this entity). If the percentage is above the threshold, an alarm is raised.

In essence, machine learning algorithms develop a pattern. Then a risk value is calculated using this pattern. If the risk is deemed high enough, there is a large chance the network is fraudulent.


Cyber threats are produced and even managed in real time by a human adversary,  so they can’t be fully predictable automatically. For UBA to succeed, it’s critical to develop effective integration between the UBA engine and IT/Cyber specialist. This integration should be based on two-sided interaction:

  • UBA to IT/Cyber specialist: alarms of abnormal behavior
  • IT/Cyber specialist to UBA: correction/teaching of the “normal” behavior pattern

Network Simulation

To develop a sufficient UBA solution, an appropriate test and development environment is required. Such an environment should represent the operational situation as close to reality as possible. There is only one platform that meets this requirement — Network Simulation.

Network simulation is designed for characterizing, creating, and validating the communication solutions, computer networks, and distributed or parallel systems. It enables the prediction of network behavior and performance. One can create, run, and analyze any desired communication scenario.

Modern simulation platforms (e.g. OPNET) create realistic interactive user traffic running on top of actual state machines of network nodes. This simulated traffic reflects real packet captures of actual network behavior with all its complexity.

Generally, a simulation is the only method that allows continuous development, testing, and debugging of a network composed of hundreds and thousands of network nodes, since replicating this in a lab is impractical, and field tests are expensive and difficult to operate and are non-deterministic.

Another important aspect of a simulation environment is a natural creation of normal networking behavior. A fluent definition of “norm” is critical for development of Abnormal Detection algorithms.

For Machine Learning algorithms, network simulation is particularly important. The teaching phase is accomplished using sterile off-line simulation environment, and as a result, machine learning works effectively from the first minute after the deployment.

UBA Case Study – TLS Protocol Conformance

Transport Layer Security (TLS) protocol is widely used as the security layer for many Internet applications. There has been a growing number of new and existing attacks focused on this protocol. A UBA-based solution can be used to answer the challenge of analyzing TLS protocol conformance and detecting abnormal behavior.

One of the major threats to the availability of organizational resources are Distributed Denial of Service (DDoS) attacks. The encrypted nature of TLS makes TLS-based vulnerabilities resistant to traditional cyber security. For example, TLS-based DDoS attacks cannot be analyzed and filtered by DDoS mitigation service providers — the providers can’t see inside the encrypted envelope. Additionally, due to increased complexity in the TLS protocol, there is always a possibility of exploiting some new feature of the protocol to construct a DDoS attack. This case study demonstrates the value of a UBA-based solution.

The solution begins with a library of Abstract Protocol Models. In comparison to a finite-state machine, an abstract model is composed of basic message sequences and behavioral patterns that allow the framework of normal behavior to be defined.

This library is the main brick in the puzzle of a successful UBA solution together with Machine Learning and Big Data algorithms.

Here is a proposed logical design for analyzing TLS Protocol Conformance and detecting abnormal behavior:

How does the proposed solution work?

The solution is based on employing UEBA as it is naturally designed to provide answers to the challenges stated above. Behavior Learning can be used instead of state-machines for analyzing protocol conformance.

TLS Behavior Learning is done by a machine learning engine that learns normal TLS behavior by “eating” the correct event sequence of TLS sessions — this is done during the teaching stage.

As a result, during the operation stage, the machine learning engine can identify the cases when the protocol behavior does not fit the normal sequence of events in a session.

As one can see, the problem is solved by the integration of a TLS session tracking module and a machine learning engine. The crème de la crème of the solution is the normalization model that transforms TLS session events into appropriate input for the machine learning module.

Why Northforge?

Northforge provides Intrusion Detection Systems to customers to help their organizations protect their most valuable information. The unique Protocol Conformance approach enhances their systems through an innovative User Behavior Analytics cyber security process. The success of this innovation is based on our proven expertise in Intrusion Detection, Machine Learning, and Network Simulation.

by Oleg P.

[1] Gartner, Market Guide for User and Entity Behavior Analytics



Show Buttons
Hide Buttons