A Low Cost System For Logon Anomaly Detection Based On Time And Location Of Users

The purpose of this research was to develop a low cost system for identifying logon anomalies based on the time a user provides login credentials and also the physical location of the workstation on the LAN. The specific objectives of the project were (i) to evaluate how logon anomalies based on physical locations have been addressed in the literature (ii) to develop specifications, design and implement a solution to address the problem of determining the physical location of a logon event as well as determine the validity of such an event (iii) to evaluate the designed solution by analyzing the logon patterns of the users based on valid attempts in order to identify logon anomalies. The methodology used by this research involved collecting logon event data from a live Windows Active Directory environment. The Windows Active Directory Domain had three Domain Controllers, about 400 client workstations and about 960 active users. The geographical campus where the data was collected constituted of several network administration areas each hosting one or more network switches. Each administration area is referred to as a physical location and was allocated a unique VLAN ID and network subnet.