Autolearning is a process by which OAAM profiles behavior patterns. The patterns can be created for entities such as users, devices, locations, address, etc. You can also create patterns with a combination of different entities. Such patterns are used for risk profiling and further actions can be taken depending on the outcome of the analysis. OAAM patterns analyze the behavior by storing a history of an entity’s actions.
For example, in a typical banking system, the bank may want to impose certain additional challenge parameters for a user using a less frequently used device. So it has created a pattern to challenge a user if he is logging in from a device that is used for less than 10% of all the devices used by him. A user ‘A’ has always been using his office computer to access the banking application till now. Now suppose he has purchased a personal laptop and logs in to the banking application using it. The user will be challenged because this device is used for less than 10% of all the devices used. This challenge will continue till the number of times user A’s personal laptop used exceeds 10% of the total number of logins from various devices.
OAAM allows defining either a single-bucket or a multi-bucket pattern. A single-bucket pattern tracks data for a well defined range of values. For example, you can define a pattern to track a user login during office hours of 9 am – 6 pm. In this case, there will be single bucket created for user login time between 9 am – 6 pm. The pattern analysis will only be done for this time duration regardless of whether the user logs in at any other time of the day. A multi-bucket pattern is more complex. It creates multiple buckets of well defined boundaries. For example, you want to track the percentage of user login during sundays. Then you will have to define a pattern that tracks the login on each day of week. Such a pattern creates 7 buckets for each day of week and then computes the percentage user’s login on a Sunday against a total of all logins in a week. In a real life scenario multiple single or multi-bucket patterns are combined to define policies and their result actions. An example of such a policy and how OAAM analyzes the patterns is given below.
OAAM maintains 4 tables for tracking behavior patterns
- VT_WF_HOURS – To track the login pattern for hours of a day (0 – 23)
- VT_WF_DAYS – To track the login pattern for days of a month ( 0 – 30)
- VT_WF_MONTHS – To track the login pattern for months of a year ( 1 – 12)
- VT_WF_YEARS ( 1 – 8)
I will explain the behavior pattern for hours of a day. The logic is similar for other patterns.
Let’s assume that we have defined and are using the following multi-bucket behavior patterns
1. User: Timerange profiling pattern (with 2 hours increment step) – Pattern ID = 1
2. User: Day of Week profiling pattern – Pattern ID = 2
3. User: Device profiling pattern – Pattern ID = 3
4. User: City profiling pattern – Pattern ID = 4
5. User: State profiling pattern – Pattern ID = 5
6. User: Country profiling pattern – Pattern ID = 6
OAAM creates (or updates) a fingerprint for each bucket of the above patterns whenever required. For example, if a user logs in at 10:05 am (time range = 10:00 am – 12:00 pm) on a Wednesday(day of week = 1) from Bangalore (city), Karnataka (state), India (country) using his laptop (device), then OAAM creates the fingerprints similar to the following
1. FPrintID = 1, Time10-12 with Pattern ID = 1
2. FPrintID = 2, Day3 with Pattern ID = 2
3. FPrintID = 3, DeviceMyLaptop with Pattern ID = 3
4. FPrintID = 4, CityBangalore with Pattern ID = 4
5. FPrintID = 5, StateKarnataka with Pattern ID = 5
6. FPrintID = 6, CountryIndia with Pattern ID = 6
Now the rows in the pattern tables are created or updated with the new count. For VT_WF_HOURS, 10:05 am is in hour_11. Assuming that the user has logged in for the first time, hour_11 corresponding to all the Pattern IDs above will be set to 1.
Now the same user logs in at 10:20 am on a Friday from Ahmedabad, Gujarat, India using his personal computer. So OAAM generates 4 new fingerprints
1. FPrintID = 7, Day5 with Pattern ID = 2
2. FPrintID = 8, DeviceMyPC with Pattern ID = 3
3. FPrintID = 9, CityAhmedabad with Pattern ID = 4
4. FPrintID = 10, StateGujarat with Pattern ID = 5
VT_WF_HOURS will now contain
1. FPrintID = 1, Pattern ID = 1, hour_11 = 2
2. FPrintID = 7, Pattern ID = 2, hour_11 = 1
3. FPrintID = 8, Pattern ID = 3, hour_11 = 1
4. FPrintID = 9, Pattern ID = 4, hour_11 = 1
5. FPrintID = 10, Pattern ID = 5, hour_11 = 1
6. FPrintID = 6, Pattern ID = 6, hour_11 = 2
Now user returns to Bangalore and logs in at 10:50 hours on a Sunday using his laptop. Then the following fingerprint will be created.
1. FPrintID = 11, Day7 with Pattern ID = 2
Then VT_WF_HOURS will contain
1. FPrintID = 1, Pattern ID = 1, hour_11 = 3
2. FPrintID = 11, Pattern ID = 2, hour_11 = 1
3. FPrintID = 3, Pattern ID = 3, hour_11 = 2
4. FPrintID = 4, Pattern ID = 4, hour_11 = 2
5. FPrintID = 5, Pattern ID = 5, hour_11 = 2
6. FPrintID = 6, Pattern ID = 6, hour_11 = 3
Then the user again logs in on Sunday at 13:15 hours from Bangalore using his laptop. The following fingerprint is created now
1. FPrintID = 12, Time12-14 with Pattern ID = 1
VT_WF_HOURS now contains
1. FPrintID = 12, Pattern ID = 1, hour_14 = 1
2. FPrintID = 11, Pattern ID = 2, hour_14 = 1
3. FPrintID = 3, Pattern ID = 3, hour_14 = 1
4. FPrintID = 4, Pattern ID = 4, hour_14 = 1
5. FPrintID = 5, Pattern ID = 5, hour_14 = 1
6. FPrintID = 6, Pattern ID = 6, hour_14 = 1
Hence, depending on your pattern, OAAM keeps track of the count separately. If you want to check the frequency of a user login between 10:00 am to 11:00 am on a Sunday, you get the data from hour_11 corresponding to FPrintID = 11. In your policy, you can combine multiple patterns to check the frequency of a user login between 10:00 am to 12:00 pm on a Sunday using his laptop from Bangalore, Karnataka, India.
More details about the autolearning feature can be found in the Oracle® Fusion Middleware Administrator’s Guide for Oracle Adaptive Access Manager
All site content is the property of Oracle Corp. Redistribution not allowed without written permission