8 Analyzing logs for fraud and attacks

This chapter covers

Examining the components of a logging pipeline’s analysis layer
Detecting fraud and attacks using string signatures, statistics, and historical data
Managing techniques for alerting users without overwhelming them

In chapter 7, you learned how to build a logging pipeline to collect, stream, analyze, store, and access logs across the infrastructure. A multilayered pipeline creates a flexible infrastructure where logs from different origins are used to monitor the activity of the organization’s services. Chapter 7 gave an overview of the functionalities provided by each layer of the pipeline. In this chapter, we’ll focus on the third layer, the analysis layer, and dive into techniques and code samples to detect fraud and attacks on services.

8.1 Architecture of a log-analysis layer

8.2 Detecting attacks using string signatures

8.3 Statistical models for fraud detection

8.3.1 Sliding windows and circular buffers

8.3.2 Moving averages

8.4 Using geographic data to find abuses

8.4.1 Geoprofiling users

8.4.2 Calculating distances

8.4.3 Finding a user’s normal connection area

8.5 Detecting anomalies in known patterns

8.5.1 User-agent signature

8.5.2 Anomalous browser

8.5.3 Interaction patterns

8.6 Raising alerts to operators and end users

8.6.1 Escalating security events to operators

8.6.2 How and when to notify end users

Summary