A system (10) for the creation and verification of behavioral baselines, comprising a central processing device (12) which comprises a control unit (14) and enriched data storage means (22) and which is connected to and communicates with a plurality of target apparatuses (36) and with an Identity & Access Management (IAM) apparatus (38). The central processing device (12) comprises: - an IAM state collection module (18) configured to generate a real-time synchronized copy of data on the IAM state which are recorded by the IAM apparatus (38), minimizing the overhead on said IAM apparatus (38); - a data enrichment module (20) configured to identify an entity in real time; - a Markovian module (24), configured to build a Markov transition matrix adapted to track the transition from a first activity to a second, temporally subsequent activity; - a baseline module (26), configured to calculate a plurality of individual score values, one for each individual activity/entity pair, and a plurality of collective score values, one for each individual activity/time window pair; - a log anomaly verification module (28) configured to assess the presence of a behavioral anomaly of the entity with respect to an individual space, on the basis of the plurality of individual score values; - a peer anomaly verification module (30), configured to assess behaviors of similar peer entities; and - a noise reduction module (32), configured to reduce the number of false positives on the basis of the assessment of the behavior of the similar peer entities.
展开▼
