Oracle® Adaptive Access Manager Administrator's Guide Release 10g (10.1.4.5) Part Number E12055-03 |
|
|
View PDF |
The chapter provides information for setting up Adaptive Risk Manager Offline and on loading and running session sets—subsets of a larger body of data—for evaluation using Oracle Adaptive Access Manager Offline.
This section provides a brief introduction to Adaptive Risk Manager Offline and contains the following sections:
What Does Adaptive Risk Manager Offline Do?
Adaptive Risk Manager Offline is an offline fraud analysis tool for evaluating existing data. It can be used in three ways:
As a research and development tool to create and validate new rules using sample data from the production system before introducing them into an online environment
As a standalone security tool to analyze, detect, and alert high risk situations
As a supplemental analysis tool to aid in the tuning of rules and verification of rules behavior against real customer data without impacting customers in real-time log ins and transactions
Adaptive Risk Manager Offline Architecture
The installation of Adaptive Risk Manager Offline is similar to that of Adaptive Risk Manager Online, only Adaptive Risk Manager Offline has its own database. This additional database is the same as that of the Adaptive Risk Manager Online version.
Customer login and/or transaction data is loaded into the Adaptive Risk Manager Offline database. Data can be loaded:
directly from Adaptive Risk Manager Online (DB Loader)
from a temporary database (DB Loader)
from a remote, custom source (Custom Loader)
through a file (File-Based Loader)
Loading from a database is the standard loading process.
Adaptive Risk Manager Offline uses its Offline database, where real customer data is loaded, to perform risk analysis or conduct simulations of Adaptive Risk Manager Online.
The same models and rules as Adaptive Risk Manager Online or modified models and rules may be used to perform risk analysis.
Loaders
DB Loader - Adaptive Risk Manager Offline, by default, is pre-configured to handle loading from a database. You will have to configure your database connection URL and so on for DB loader to access the offline data. Information about setting the URLs and other parameters is provided in Section 13.2, "Creating a New Database Configuration to Access Offline Data."
The DB loader is preferred over the file-based and custom loaders since the DB Loader is optimized. It provides better control and is easier to use and faster:
for pausing and resuming
for working with partial data set
Instead of using a file-based/custom loader, you may want to consider loading file or storage data into a temporary database using the standard tools and then using the temporary database to load data into the Offline database.
Custom Loader - Custom loaders handle loading from a file or any kind of storage facility. Instead of using a custom loader, you may consider copying the data into a temporary database and using the temporary database to load the data into Adaptive Risk Manager Offline.
File-Based Loaders - File-based loaders perform the job of taking a file and turning that into a format that you can use in Adaptive Risk Manager Offline. If a file-based loader must be used, you must first sort the file in data order. The disadvantages of the file-based loader is that Pause and Resume are slow and you will have to deal with partial session sets.
More information and guidelines for custom and file-based loaders are in Section 13.3, "Data Loaders."
Adaptive Risk Manager Offline User Flow (if using Standard Loading)
The User flow for Adaptive Risk Manager Offline using the standard loading process is shown below.
Install Adaptive Risk Manager Offline
Create and edit a DB Configuration to access offline data.
Create a Run Configuration with the characteristics of the run session.
Create Session Sets based on past dates and times.
If you create a session set, you can choose to auto-increment the data—to pull new data periodically from the database—or pull only the data that falls within a specific date range.
Setting up Auto-learning
Load data based on a Session Set and DB Configuration.
Run rules against the data
Entire database or subset (session set)
Immediately or on schedule
Alerts will be generated for suspicious activities.
Examine Dashboard and Reports.
Discover hacking attempts.
Create new rules and models to trap the attacks.
Run the old data through the new rules and models.
Reexamine reports to see if the new rules helped.
Test the rules in pre-production.
Implement new rules and models on Adaptive Risk Manager Online.
Source data must be loaded into the Adaptive Risk Manager Offline database so that Adaptive Risk Manager Offline can use its own database to perform risk analysis.
Instructions for creating a database configuration (setting up the parameters) for connecting to the remote database so you will be able to load or run data in the Adaptive Risk Manager Offline database is presented in this section.
If you are using a custom or file-based loader, skip this section, and go on to Section 13.3, "Data Loaders."
In creating a load configuration, you will:
specify the characteristics of the offline load session. For example, date format, transaction size, write pool size, and so on.
set up parameters for connecting to the remote database such as URL, password, server type (Oracle driver, SQL server driver, and so on)
configure properties to map such fields as the table name, user Id, and browser string
To create a load configuration:
On the Admin menu, point to DB Configurations and then click Create Configurations.
The Create Configurations page appears.
From the Configuration Type menu, select Load.
From the Config Name menu, select Create New Configuration.
If you've already created the configuration, you can select from the names of existing configurations.
The Create New Configurations page appears.
Enter a name for the configuration.
From the Status menu, select the status you want:
Active (Enable) or Inactive (Disable)
Enter any appropriate notes.
Click Create.
The properties panel enables you to configure and edit properties.
Review the list of properties and modify depending upon the location and structure of your data source and then click Save.
Details about setting the properties are documented below.
After creating the DB Configuration, create the Run Configuration as per the instructions in Section 13.4, "Creating a New Run Configuration."
The properties labeled Remote RA DB Type, Remote RA DB Class, Remote RA DB JDBC URL, Remote RA DB User or Schema, and Remote RA DB Password will need to be changed to the values required to connect to the remote Adaptive Risk Manager database.
For example:
Edit the Remote RA DB JDBC URL and change it from @remotehost:1521:ORCL
to your appropriate hostname:port:SID
. For example,
@oaam-adm.example.com:1521:inf01
Change the Remote RA DB User or Schema from brsawf
to your appropriate username. For example,
oaamdbuser
Set the value of the property labeled Load Table Name to the name of the table containing the login data. This property value may also include a table alias, for example, table t
. If the data is spread across multiple tables, this property can contain join criteria, for example, table1 t1 left outer join table2 t2 on t1.id = t2.id
.
Set the values of the following to the required field expressions.
Load login time column
Load user Id column
Load login Id column
Load IP column
Load browser user agent column
Auth status column
Load group id column
ClientType column
Load secure cookie column
Load device id column
Load session id column
Load expected digital cookie column
Valid field expressions include database field names (qualified with table aliases if table aliases were specified in the Load Table Name property), for example, t1.tstamp or constants, for example, null, "ra-group".
If you want to load data without running the rules, set the Load and Run Rules property to false. If you want to run data without doing a load, create a run type DB Configuration and the property will not be available.
While creating the loader configuration, start with 10 worker threads and watch the throughput (number of requests processed per minute) using the Dashboard.
If the throughput is not satisfactory, increase writer threads in increments of 5.
Higher number of writer threads does not necessarily result in better throughput. Adjust the number of worker threads for max throughput for the given hardware.
Check Section 13.9, "Monitoring Adaptive Risk Manager Offline" for possible worker thread starvation.
This section contains information and instructions for using data loaders.
If data is to be loaded into a database, make sure the data is valid as per mappings. Source data validation (basic sanity checks) is easier to perform before starting the load. It will save loading cycles and the incorrect processing of information.
Validations are:
Check for null or empty required fields (like user name)
Ensure that there are not too many log ins/transactions from the same user, and incorrect delimiter or escaping resulted in user id "0" being logged in more than 30% time. These kinds of errors will not necessarily result in an error, but they will slow loading process and process the data incorrectly.
Check that the combination of fields expected to be unique and the data are unique.
Make sure the source data does not have duplicate records/content. Duplicate records will skew the results and might raise false alerts.
Make sure the field that identifies the request (Request Identifier) is unique.
To avoid data truncation, make sure source data is not truncated while loading into database if the source data is loaded into database before it is fed to Oracle Adaptive Access Manager.
If the source data does not have secure cookies and/or digital cookies, send constant secure cookies and/or digital cookies and turn off rotating cookies in Oracle Adaptive Access Manager.
If you are loading from a custom database, you need to set the properties labeled Remote RA DB Type, Remote RA DB Class, Remote RA DB JDBC URL, Remote RA DB User or Schema, and Remote RA DB Password to the required to connect to the custom database.
For run, you will specify the characteristics of the offline run session: transaction size, throttle, write pool size.
You will use the run configuration when you run rules against the entire database or against a subset of the database.
To create a new run configuration
On the Admin menu, point to DB Configurations and then click Create Configurations.
The Create Configurations page appears.
From the Configuration Type menu, select Run.
From the Config Name menu, select Create New Configuration.
If you've already created the configuration, you can select from the names of existing configurations.
The Create New Configurations page appears.
Enter a name for the configuration.
From the Status menu, select the status you want:
Active (Enable) or Inactive (Disable)
Enter any appropriate notes.
Click Create.
The properties panel enables you to configure and edit properties.
Review the list of properties at the bottom of the page and modify depending upon the location and structure of your data source.
Click Save.
Transactions can be grouped into session sets, subsets of a larger body of data, and played back and studied for trends.
After the administrator has loaded the database configurations into Adaptive Risk Manager Offline, you can run the rules against the entire database or against a session set.
If you create a session set, you can choose to pull:
new data periodically from the database (auto-increment the data)
only the data that falls within a specific date range
An auto increment session set pulls new data at preset intervals from Adaptive Risk Manager Online.
To create an auto increment session set:
On the Manage Data menu, point to Sessions Sets and then click Create Session Set.
The Create Session Set page appears.
From the Set Type menu, select Auto Increment.
From the Set Name menu, select Create New Session Set.
Enter a name for the session set.
Enter any appropriate notes.
To start auto-incrementing on a specific date, click the calendar icon and select the date you want.
Click Create and then click Save on the next page.
A date range session set pulls only the data that falls within a specific date range.
To create an date range session set:
On the Manage Data menu, point to Sessions Sets and then click Create Session Set.
The Create Session Set page appears.
From the Set Name menu, select Create New Session Set.
Enter a name for the session set.
Enter any appropriate notes.
Click the calendar icons and select the From Date and To Date.
Click Create and then click Save on the next page.
There are a few functions that are disabled in Offline. They can be reconfigured by adding properties to bharosa_server.properties file. Details for bharosa_server.properties are provided in the Oracle Adaptive Access Manager Installation and Configuration Guide.
In addition to the properties in bharosa_server.properties, you may want to turn on the following features.
To use Auto-learning (pattern analysis):
Import default entities.
Enable Auto-learning properties
vcrypt.tracker.autolearning.enabled=true vcrypt.tracker.autolearning.use.auth.status.for.analysis=true vcrypt.tracker.autolearning.use.tran.status.for.analysis=true
Define and enable patterns.
Perform load and the run at the same time.
You cannot perform the load and then the run if you want Auto-learning.
Refer to Chapter 8, "Auto-learning and Patterns" for detailed information about Auto-learning and pattern creation.
Rule Logging for detailed information can be turned on by setting:
vcrypt.tracker.rules.trace.policySet=true vcrypt.tracker.rules.trace.policySet.min.ms=100
Configurable actions can be enabled by setting:
dynamicactions.enabled=true
For information on configuring a Configurable Action, refer to Chapter 5, "Configurable Actions."
This section contains instructions for
When you load a session set you specify:
the database configuration you want to use
the session set-or subset of that database-you want to run
the interval type if you're using an auto-increment session set
to load Immediately or to load by a schedule
To load data:
On the Manage Data menu, point to Run/Load and then click Load Data.
The Load Data page appears.
Enter a name for the session data that is being loaded.
From the Config menu, select the load configuration that has been created for this load.
For information on the load database configurations, refer to Section 13.2, "Creating a New Database Configuration to Access Offline Data."
From the Session Sets menu, select the session set you want.
Enter any appropriate notes.
If you want to load the data immediately, click Load. If you want to schedule the load instead, skip this step and continue on to the next step.
To schedule load data:
select the Interval Type
The Interval Type is the frequency of the schedule. You can choose Daily, Hourly, Monthly, None, or Weekly.
select the Suspend Time, if required
Suspend Time is the number of hours the task should be allowed to run before it is automatically stopped.
enter a Begin Time
Begin Time is the start date for the schedule. For example, 06/01/08 02:00 hours.
enter an End Time
End Time is the end date for the schedule. For example, 07/31/08 23:59 hours.
enter an Interval Value
Enter a valid positive numeric value. It cannot be zero. This is the time-off value in between schedules. For example, in an hourly schedule where the interval value is 2, if the current schedule runs at 06:00 hours, after an interval of 2 hours, the next schedule will begin (08:00 hours).
Then, click Schedule.
When you run data you specify:
the database configuration you want the data to come from
the session set (the subset of the data) that you have predefine and now want to run
For example, you may have created a session set that specifies a date range during which you observed suspicious activity.
to run the data Immediately or by a schedule
To run data:
On the Manage Data menu, point to Run/Load and then click Run Data.
The Run Data page appears.
Enter a name for the data you want to run.
From the Config menu, select the run configuration that has been created to run data.
For information on run database configurations, refer to Section 13.2, "Creating a New Database Configuration to Access Offline Data."
From the Session Sets menu, select the session set you want.
Enter any appropriate notes.
If you want to run the data immediately, click Run. If f you want to schedule the run instead, skip this step and continue on to the next step.
To schedule run data:
select the Interval Type
The Interval Type is the frequency of the schedule. You can choose Daily, Hourly, Monthly, None, or Weekly.
select the Suspend Time, if required
Suspend Time is the number of hours the task should be allowed to run before it is automatically stopped.
enter a Begin Time
Begin Time is the start date for the schedule. For example, 06/01/08 02:00 hours.
enter an End Time
End Time is the end date for the schedule. For example, 07/31/08 23:59 hours.
enter an Interval Value
Enter a valid positive numeric value. It cannot be zero. This is the time-off value in between schedules. For example, in an hourly schedule where the interval value is 2, if the current schedule runs at 06:00 hours, after an interval of 2 hours, the next schedule will begin (08:00 hours).
Then, click Schedule.
Once records have been loaded from a data source, the system will not allow you to go back and load earlier records from that same data source. If you need those records, you must create a new identical DB Config, and use that to load the earlier records. Be sure that the dates on your session set do not overlap with existing records, or you will have duplicate records.
This section contains information on stopping and pausing Adaptive Risk Manager Offline.
Use Stop if there is need to stop the Load/Run process immediately. Stop will flush requests in the queue and stop the process. "Pause" is preferred over "Stop".
The Resume option is not available for a stopped process. A new session set has to be created to resume the process.
This section describes how to monitor Adaptive Risk Manager Offline using the Dashboard and Server Logs.
Use the Adaptive Risk Manager Offline Dashboard to view the statistics on the rate of log ins; the data loaded from Adaptive Risk Manager Online (session set) or from a remote, custom source (load); the data that models are run against (run). Refer to Chapter 11, "Using the Dashboard."
Please note that in Offline, the reports on the dashboard are based on the execution time rather than the login time (as in Online).
Use the following sections of the Dashboard to monitor the loader process:
The performance panel on the top gives the throughput in terms of log ins per minute, transactions loaded per minute, and so on. A trending graph is shown of the different types of data based on performance so that loader trends can be monitored.
The dashboard on the bottom presents historical data. Select Performance from the Dashboard list. Performance can be monitored in terms of average response time of APIs, Rules, and so on. Trend graph are available for the selection.
For every 1000 requests processed, the loader process prints the time taken to process those 1000 requests. These logs provide a good indication of throughput.
Make sure you have the following properties set:
bharosa.db.query.performance.warning.print.stack=false bharosa.db.query.performance.warning.threshold.ms=200
The server writes SQLs that took more than 200ms to execute to log file.
Random SQLs in logs are fine, considering the load being handled. However, higher number of SQLs indicate possible improvements in DB or Network areas.
Many reports are available in Oracle Adaptive Access Manager that makes it easier to monitors Adaptive Risk Manager Offline to identify fraudulent attempts and opportunities for optimization and report fraudulent attempts. For more information on reports, refer to Chapter 12, "Reporting."
After discovering trends and suspicious activity, you can start creating new rules and models to capture these attacks.
Create new rules and models to trap the attacks.
Run the old data (predictable data) through the new rules and models to ensure they are functioning as expected.
Reexamine reports to see if the new rules helped.
When you are satisfied that the model is functioning as expected, migrate the model in pre-production where performance testing can be run.
This is an important step since the new rule template and/or model can potentially have a big performance impact. For example, if you define a new model to check that a user was not using an email address that had been used before (ever). If you have over 1 billion records in your database, performing that check against all the records for every transaction will have a great impact on performance. Therefore, testing the model under load is important.
Only when you are satisfied that your new rule/model is functioning as expected and does not adversely affect performance should it be implemented on Adaptive Risk Manager Online.
This section contains the following topics:
In 10.1.4.5.2, a new Scheduler user interface for viewing internal system tasks is present for both Adaptive Risk Manager Online and Offline. In Offline mode, the new user interface is in addition to the standard Adaptive Risk Analyzer Offline Scheduler for viewing loads and run in Offline. For debugging purposes, this new Scheduler user interface is not used for scheduling tasks.
To view of list of database configurations:
On the Admin menu, point to DB Configurations and then click List Configurations.
The List Configurations page appears.
To quickly find the configuration you want, enter the name of the configuration.
To filter the list by configuration type, from the Type menu, select the type you want.
To filter the list by status, from the Status menu, select the status you want.
Press Submit Query.
Click the configuration you want.
The Create Configurations page for that configuration appears.
To view a list of all session sets:
On the Manage Data menu, point to Sessions Sets and then click List Session Sets.
To quickly find the session set you want, enter the name.
Click Submit Query.
In the list of session set, click the name of the session set you want.
The Create Session Sets page appears.
To delete a session set, select the session set you want and click Delete.
You can view a list of session sets that have been loaded into Adaptive Risk Manager Offline.
To view a list of loads:
On the Manage Data menu, point to Run/Load and then click List Loads.
The List Loads page appears.
To quickly find the load you want, enter the name.
To filter the list by status, from the Status menu, select the status you want.
To narrow the list by date range, click the calendar icons and select the From and To dates you want.
Click Submit Query.
The List Load page appears.
To delete a load, select the load you want and click Delete.
If you want to view details about the load, click the load you want.
A screen with the load details appears.
Use the pause/resume button if you want to pause the load and resume it later.
To view a list of scheduled tasks:
On the Manage Data menu, point to Run/Load and then click List Schedulers.
The List Schedulers page appears.
Specify the search criteria:
Schedule Name
Schedule Type
Interval Type
Status
Date range
Click Submit Query.
The List Scheduler page appears.
To delete a scheduler, select the scheduler you want and click Delete.
If you want to view information about the scheduler, click the scheduler you want.
You can view a list of runs that have been loaded into Adaptive Risk Manager Offline.
To view a list of runs:
On the Manage Data menu, point to Run/Load and then click List Runs.
The List Runs page appears.
To quickly find the run you want, enter the name.
To filter the list by status, from the Status menu, select the status you want.
To narrow the list by date range, click the calendar icons and select the From and To dates you want.
Click Submit Query.
The List Run page appears.
To delete a run, select the run you want and click Delete.
You cannot delete a run when run is in progress or when logs are associated with it. In those cases, you can stop or pause the run.
If you want to view details about the run, click the run you want.
A screen with the run details appears.
Use the pause/resume button if you want to pause the run and resume it later.
This section provides information on how to troubleshoot problems that you might encounter when using Adaptive Risk Manager Offline.
Make sure the connection string specified for Remote RA DB JDBC URL in your DB Config contains the parameter, "selectMethod=cursor", as shown in the example below:
jdbc:sqlserver://localhost:1433;databaseName=oaam_offline;selectMethod=cursor
If you encounter situations where no records are loaded and the Status is Complete, the following steps may help when trying to resolve the issues:
Check the JDBC parameters in your DB Config for correct database configuration.
Ensure begin and end dates in session set definition are set per your needs.
Check logs for errors.