BLOG Link Analysis

Streamline Investigations with “Link Analysis”

Can’t get enough of Gurucul’s machine learning models? It definitely helps to put a name to a model, doesn’t it? We are pleased to introduce our next model.

Gurucul Machine Learning Model: Link Analysis

How does the Link Analysis machine learning model work, what does it do? The Link Analysis machine learning model examines a network of interconnected links and nodes to identify and analyze relationships that are not easily seen in raw data. Gurucul Risk Analytics feeds data into the Link Analysis machine learning model to analyze the links between objects, whether they are physical, digital or relational. This is dependent upon diligent data gathering.

In the case of an identity management system, user accounts may get created that are unlinked to named identities. There is no way to manually link these accounts to identities. Gurucul Risk Analytics’ Link Analysis machine learning model links behavior associated with disparate accounts to one particular user or machine.  By default, over 80% of user accounts are linked automatically using Gurucul Risk Analytics’ Link Analysis approach.

Looking at a simple example, let’s say there’s a user account called janedoe with an associated identity named janedoe, the Link Analysis machine learning model will link these two data objects.  Ok, that was easy.  Next step is to gather behavioral data associated with different accounts and multiple naming conventions for the same user – and the machines they are using – to link all of their identities, access actions and online activities to one user.  Link Analysis brings all of the relevant identities and behaviors together to define a full story of what’s going on.

Use Case: Streamline Investigations

Let’s look at a more complete example. A developer, Jed Fuller, gets a bad HR review. He’s very unhappy and decides to use his x-jfuller admin login to access source code and downloads an entire tree. Further, the network proxy detects that his Windows desktop account jed.fuller is being used to send large files to an external drop box account.

Jed Fuller’s user account behavior is flagged as anomalous. The investigation is quick since we have been able to link all of Jed Fuller user accounts to his identity in a single search with Gurucul MinerTM, Gurucul’s natural language contextual search. It’s super easy, just search for the phrase “Jed Fuller” and bingo – you’ll see all the good and bad behavior being performed by the accounts associated with Jed Fuller.

What are the Benefits of Link Analysis?

Link Analysis has three primary purposes:

  • To find matches for known patterns of interests between linked objects
  • To find anomalies by detecting violated known patterns
  • To find new patterns of interest (for example, in social networking and marketing and business intelligence).

Link Analysis can help identify and stop social media attacks. It can also be used to clean up dormant and orphan user accounts by linking them – or not. If an account can be linked, it is not an orphan account. If an orphan or dormant account is compromised, Gurucul Risk Analytics can quickly link all of the accounts and data associated with the relevant identity and reveal the full story. What does that mean? It means investigations are quick. You can quickly trace back to see where the compromise process began.

Share this page:
Previous