MAC-MLA 2008

Do You Really Know Who is Using Your

Systems?

Do You Really Know Who is Using Your

Systems?Stephan Spitzer

Lead Developer/DBA, Applied Medical Informatics

James A. Zimble Learning Resource Center

Stephan SpitzerLead Developer/DBA, Applied Medical

InformaticsJames A. Zimble Learning Resource

Center

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Problem OverviewProblem Overview

“On the Internet, Nobody Knows You’re a Dog”

A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993

“On the Internet, Nobody Knows You’re a Dog”

A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Who We Are?Who We Are?

• Uniformed Services University of the Health Sciences (USUHS) • Medical education and

research facility for the nation’s military and public health community

• Located in Bethesda, Maryland

• Uniformed Services University of the Health Sciences (USUHS) • Medical education and

research facility for the nation’s military and public health community

• Located in Bethesda, Maryland

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Electronic Resources (ER)Electronic Resources (ER)

• Portal to over 9,000 electronic resources

• Services over 7,500 global users:• Current students and staff• Alumni• Affiliate institutions

• Portal to over 9,000 electronic resources

• Services over 7,500 global users:• Current students and staff• Alumni• Affiliate institutions

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

ER - Main DisplayER - Main Display

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Why Worry About Access? Why Worry About Access?

• Most of our resource offerings are limited by license agreements

• We need to have accurate usage statistics so that we supply resources for our legitimate users

• Affiliate institutions pay us per user• We have a large, mobile, diverse,

and dispersed user population

• Most of our resource offerings are limited by license agreements

• We need to have accurate usage statistics so that we supply resources for our legitimate users

• Affiliate institutions pay us per user• We have a large, mobile, diverse,

and dispersed user population

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

First Step - Record Access Information

First Step - Record Access Information

ACTION:• Each user signon date and time is saved

with patron record

ACTION:• Each user signon date and time is saved

with patron recordRESULT:

• Inactive users can be purged from the active user database

RESULT:• Inactive users can be purged from the

active user databaseACTION:• Each user access of an electronic resource

is logged, including browser’s IP address

ACTION:• Each user access of an electronic resource

is logged, including browser’s IP address

RESULT:• Have basis for more detailed checking

RESULT:• Have basis for more detailed checking

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Google Analytics - Next StepGoogle Analytics - Next Step• Free service gathers various

usage information about web sites

• Simple to configure

• Free service gathers various usage information about web sites

• Simple to configure

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Google Analytics - DashboardGoogle Analytics - Dashboard

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Google Anayltics - Network Detail

Google Anayltics - Network Detail

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

What’s Missing?What’s Missing?

• We have user’s access information

• We have locations that accessed our resources

• Need to match: LOCATION <> USER

• We have user’s access information

• We have locations that accessed our resources

• Need to match: LOCATION <> USER

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Matching IP to Location - What Doesn’t Work (Well)Matching IP to Location -

What Doesn’t Work (Well)• Internet’s Domain Name

System (DNS) • Distributed database of name

servers• Resolve names to locations

• http://network-tools.com/ information via browser

• Nslookup,whois client, etc. are real-time (ie, too slow)

• Need something static and fast

• Internet’s Domain Name System (DNS) • Distributed database of name

servers• Resolve names to locations

• http://network-tools.com/ information via browser

• Nslookup,whois client, etc. are real-time (ie, too slow)

• Need something static and fast

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

GeoLite City - The Missing Link

GeoLite City - The Missing Link

• Open Source (free) database of geographic information

• Maps IP to City/Country, world-wide

• Self-contained database• Simple API available for most

programming languages

• Open Source (free) database of geographic information

• Maps IP to City/Country, world-wide

• Self-contained database• Simple API available for most

programming languages

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Putting It All Together Putting It All Together

• Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations

• Find each patron access within a timeframe and list where and when they accessed our resources

• Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations

• Find each patron access within a timeframe and list where and when they accessed our resources

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Suspicious ActivitySuspicious Activity

• Odd Locations• Siberia?; Philippines?

• “Excessive” Usage• Access 24x7; lots of access in short

timeframes; consistent high access

• Impossible Geographic/Timeframe Usage• Different cities/countries/continents

in same day/hour

• Odd Locations• Siberia?; Philippines?

• “Excessive” Usage• Access 24x7; lots of access in short

timeframes; consistent high access

• Impossible Geographic/Timeframe Usage• Different cities/countries/continents

in same day/hour

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Example - Odd LocationExample - Odd Location

• Found our Siberian user:• Found our Siberian user:

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Example - “Excessive” Usage Example - “Excessive” Usage • This is one user for one day:• This is one user for one day:

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Example - Impossible Geography

Example - Impossible Geography

• Two Users - Two Stories:• Legitimate

• Problematic

• Two Users - Two Stories:• Legitimate

• Problematic

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

FindingsFindings• Site/Organization utilizes

proxies• Account info left in browser• Explicit sharing of account• Account compromised

• Site/Organization utilizes proxies

• Account info left in browser• Explicit sharing of account• Account compromised

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Access ResultsAccess Results 2007 2008

-------- --------Apr 30,526 38,666

--- take user access actions ---

2007 2008 -------- --------Apr 30,526 38,666

--- take user access actions ---

May 28,469 32,003June 29,439 25,656July 31,747 30,935

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Follow-UpFollow-Up”Doveryai, No Proveryai”

(Trust, but Verify)• Re-run script periodically to

check compliance

”Doveryai, No Proveryai” (Trust, but Verify)• Re-run script periodically to

check compliance

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

ResourcesResources• Google Analytics• http://www.google.com/analytics/

• GeoLite City• http://www.maxmind.com/app/

geolitecity• This Presentation

• http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps

• My Contact Information• Stephan.Spitzer.ctr@lrcm.usuhs.mil

• Google Analytics• http://www.google.com/analytics/

• GeoLite City• http://www.maxmind.com/app/

geolitecity• This Presentation

• http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps

• My Contact Information• Stephan.Spitzer.ctr@lrcm.usuhs.mil

UNIFORMED SERVICES UNIVERSITYof the Health Sciences

James A. Zimble Learning Resource Center

MAC-MLA 2008

Questions? Questions?