Differentiating User Authentication Graphs
Authentication using centralized methods is a primary trust mechanism within most large-scale, enterprise computer networks. Representing user authentication activity as a set of user-specific graphs over an enterprise network, we find that certain types of user behavior have distinguishable graph attributes. More specifically, we demonstrate significant distinction between system administrators and non-privileged users. We also explore the differentiation of other functional organization-based user categories. In addition, due to the operational value user authentication graphs have in reflecting user behavior, we discuss the development of a system for visually presenting the graphs. This system will enable exploration and validation of both appropriate and anomalous user behavior relevant to both intrusion and insider threat detection.