Anomaly detection systems have been shown to perform well in detecting compromised user credentials within an enterprise computer network. Most existing approaches have focused on modelling activities that users perform within the network but not the time at which users are active. This article presents an approach for identifying compromised user credentials based on modelling their time of day or diurnal patterns. Anomalous behaviour in this respect would correspond to a user working during hours that deviate from their normal historical behaviour. The methodology is demonstrated using authentication data from Los Alamos National Laboratory’s enterprise computer network.
Price-Williams, Matthew, Melissa Turcotte, and Nick Heard (2018). “Time of Day Anomaly Detection”. In: IEEE European Intelligence and Security Informatics Conference (EISIC2018).