Do You Really Know Who is Using Your Systems?

MAC-MLA 2008

Do You Really Know Who is Using Your

Systems?

Do You Really Know Who is Using Your

Systems?Stephan Spitzer

Lead Developer/DBA, Applied Medical Informatics

James A. Zimble Learning Resource Center

Stephan SpitzerLead Developer/DBA, Applied Medical

InformaticsJames A. Zimble Learning Resource

Center

UNIFORMED SERVICES UNIVERSITYof the Health Sciences




MAC-MLA 2008

Problem OverviewProblem Overview

“On the Internet, Nobody Knows You’re a Dog”

A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993

“On the Internet, Nobody Knows You’re a Dog”

A cartoon by Paul Steiner, which appeared in The New Yorker, July 5th, 1993



MAC-MLA 2008

Who We Are?Who We Are?

• Uniformed Services University of the Health Sciences (USUHS) • Medical education and

research facility for the nation’s military and public health community

• Located in Bethesda, Maryland

• Uniformed Services University of the Health Sciences (USUHS) • Medical education and

research facility for the nation’s military and public health community

• Located in Bethesda, Maryland



MAC-MLA 2008

Electronic Resources (ER)Electronic Resources (ER)

• Portal to over 9,000 electronic resources

• Services over 7,500 global users:• Current students and staff• Alumni• Affiliate institutions

• Portal to over 9,000 electronic resources

• Services over 7,500 global users:• Current students and staff• Alumni• Affiliate institutions



MAC-MLA 2008

ER - Main DisplayER - Main Display



MAC-MLA 2008

Why Worry About Access? Why Worry About Access?

• Most of our resource offerings are limited by license agreements

• We need to have accurate usage statistics so that we supply resources for our legitimate users

• Affiliate institutions pay us per user• We have a large, mobile, diverse,

and dispersed user population

• Most of our resource offerings are limited by license agreements

• We need to have accurate usage statistics so that we supply resources for our legitimate users

• Affiliate institutions pay us per user• We have a large, mobile, diverse,

and dispersed user population



MAC-MLA 2008

First Step - Record Access Information

First Step - Record Access Information

ACTION:• Each user signon date and time is saved

with patron record

ACTION:• Each user signon date and time is saved

with patron recordRESULT:

• Inactive users can be purged from the active user database

RESULT:• Inactive users can be purged from the

active user databaseACTION:• Each user access of an electronic resource

is logged, including browser’s IP address

ACTION:• Each user access of an electronic resource

is logged, including browser’s IP address

RESULT:• Have basis for more detailed checking

RESULT:• Have basis for more detailed checking



MAC-MLA 2008

Google Analytics - Next StepGoogle Analytics - Next Step• Free service gathers various

usage information about web sites

• Simple to configure

• Free service gathers various usage information about web sites

• Simple to configure



MAC-MLA 2008

Google Analytics - DashboardGoogle Analytics - Dashboard



MAC-MLA 2008

Google Anayltics - Network Detail

Google Anayltics - Network Detail



MAC-MLA 2008

What’s Missing?What’s Missing?

• We have user’s access information

• We have locations that accessed our resources

• Need to match: LOCATION <> USER

• We have user’s access information

• We have locations that accessed our resources

• Need to match: LOCATION <> USER



MAC-MLA 2008

Matching IP to Location - What Doesn’t Work (Well)Matching IP to Location -

What Doesn’t Work (Well)• Internet’s Domain Name

System (DNS) • Distributed database of name

servers• Resolve names to locations

• http://network-tools.com/ information via browser

• Nslookup,whois client, etc. are real-time (ie, too slow)

• Need something static and fast

• Internet’s Domain Name System (DNS) • Distributed database of name

servers• Resolve names to locations

• http://network-tools.com/ information via browser

• Nslookup,whois client, etc. are real-time (ie, too slow)

• Need something static and fast



MAC-MLA 2008

GeoLite City - The Missing Link

GeoLite City - The Missing Link

• Open Source (free) database of geographic information

• Maps IP to City/Country, world-wide

• Self-contained database• Simple API available for most

programming languages

• Open Source (free) database of geographic information

• Maps IP to City/Country, world-wide

• Self-contained database• Simple API available for most

programming languages



MAC-MLA 2008

Putting It All Together Putting It All Together

• Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations

• Find each patron access within a timeframe and list where and when they accessed our resources

• Wrote PHP script to query MySQL access logs and call GeoCity API to get user locations

• Find each patron access within a timeframe and list where and when they accessed our resources



MAC-MLA 2008

Suspicious ActivitySuspicious Activity

• Odd Locations• Siberia?; Philippines?

• “Excessive” Usage• Access 24x7; lots of access in short

timeframes; consistent high access

• Impossible Geographic/Timeframe Usage• Different cities/countries/continents

in same day/hour

• Odd Locations• Siberia?; Philippines?

• “Excessive” Usage• Access 24x7; lots of access in short

timeframes; consistent high access

• Impossible Geographic/Timeframe Usage• Different cities/countries/continents

in same day/hour



MAC-MLA 2008

Example - Odd LocationExample - Odd Location

• Found our Siberian user:• Found our Siberian user:



MAC-MLA 2008

Example - “Excessive” Usage Example - “Excessive” Usage • This is one user for one day:• This is one user for one day:



MAC-MLA 2008

Example - Impossible Geography

Example - Impossible Geography

• Two Users - Two Stories:• Legitimate

• Problematic

• Two Users - Two Stories:• Legitimate

• Problematic



MAC-MLA 2008

FindingsFindings• Site/Organization utilizes

proxies• Account info left in browser• Explicit sharing of account• Account compromised

• Site/Organization utilizes proxies

• Account info left in browser• Explicit sharing of account• Account compromised



MAC-MLA 2008

Access ResultsAccess Results 2007 2008

-------- --------Apr 30,526 38,666

--- take user access actions ---

2007 2008 -------- --------Apr 30,526 38,666

--- take user access actions ---

May 28,469 32,003June 29,439 25,656July 31,747 30,935



MAC-MLA 2008

Follow-UpFollow-Up”Doveryai, No Proveryai”

(Trust, but Verify)• Re-run script periodically to

check compliance

”Doveryai, No Proveryai” (Trust, but Verify)• Re-run script periodically to

check compliance



MAC-MLA 2008

ResourcesResources• Google Analytics• http://www.google.com/analytics/

• GeoLite City• http://www.maxmind.com/app/

geolitecity• This Presentation

• http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps

• My Contact Information• [email protected]

• Google Analytics• http://www.google.com/analytics/

• GeoLite City• http://www.maxmind.com/app/

geolitecity• This Presentation

• http://www.lrc.usuhs.mil/brown/MAC-MLA2008_Spitzer.pps

• My Contact Information• [email protected]



MAC-MLA 2008

Questions? Questions?

Documents

Do You Really Know Who is Using Your Systems?