documentation
MBUSTER
Policy Setting
Policy Application Standards
Dynamic Analysis

Dynamic Analysis

Dynamic analysis is a technique that analyzes user logs based on dynamic behavior analysis rulesets.

Block Foreign Access (Importance: Recommended)

  • Analyzes the IP of the visitor to determine the access location.
  • Blocking foreign access uses MBUSTER's own DB and KISA's (Korea Internet & Security Agency) WHOIS service to detect foreign IPs.
  • This policy detects cases where the access location is determined to be outside Korea (foreign).
  • For sites targeting domestic services, it provides a blocking function against foreign IPs.
  • For sites targeting global services, foreign IPs are considered normal accesses, so this policy is set to unused.
  • Detection example: Visitor's IP [ 139.243.97.234 ] → Detected as a US IP by this policy.

Behavior Analysis Policies (Importance: Varies by Policy)

Policies are defined for each behavior and are used to identify terminals that exceed the threshold. The macro level varies by behavior analysis policy, and even the same policy may have different macro levels depending on the threshold value. Minimum and maximum thresholds for each ruleset can be calculated through the analysis of access logs (training data), and the macro level can be adjusted according to the settings.

1. Excessive Page Queries (Importance: Recommended)

When an excessive number of URL requests occur from a single visitor within one second (Importance: Recommended)
  • If excessive URL requests occur within a short period, it is interpreted as attempting repetitive tasks like macros.
  • The purpose is to detect macro operations by detecting excessive URL requests within a short period (seconds).
  • Detection example: If the threshold is set to 3, it is detected when there are more than 3 accesses within one second.
When an excessive number of URL requests occur from a single visitor within one minute (Importance: Recommended)
  • The purpose is to detect excessive URL requests within one minute.
  • Detection example: If the threshold is set to 180, it is detected when there are more than 180 accesses within one minute.
When an excessive number of URL requests occur from a single visitor within one day (Importance: Recommended)
  • Suspects macros or automated tasks when a single visitor continuously requests many URLs over a long period.
  • Detection example: If the threshold is set to 3,000, it is detected when there are more than 3,000 accesses in a day.
When specific URLs are excessively requested (Importance: Recommended)
  • The analysis targets specific URLs rather than a general analysis of all pages.
  • Detection example: If the threshold for the A.html page is set to 100, it is detected when there are more than 100 accesses to that page.

2. Repeated Page Queries (Importance: Essential)

When the number of URL calls repeats in the same pattern by the minute (Importance: Essential)
  • Programs that perform repetitive tasks, such as macros, exhibit a consistent pattern of access.
  • Detection example: If the threshold is set to 5, a macro calling 10 times per minute and repeating this for 5 minutes, resulting in 50 calls, is detected. The repetition count, not the access volume, is the criterion for the threshold.

3. Abnormal Page Access (Importance: Recommended)

When multiple personal identification IDs are issued from a single IP (Importance: Recommended)
  • Detects cases where multiple terminals are used from the same IP.
  • Macros typically access using multiple terminals through a program.
  • It is recommended to set up a whitelist, even if the access IP is a public IP.
  • Detection example: If the threshold is set to 10, it is detected when the number of terminals accessed from the same IP exceeds 10.
When a single personal identification ID is accessed from multiple IPs (Importance: Essential)
  • This is the case when the device does not change, but the access IP changes, such as when using a VPN.
  • Detection example: If the threshold is set to 10, it is detected when the visitor's IP changes 10 times using a VPN.
When a specific URL is accessed repeatedly by direct entry (Importance: Recommended)
  • Detects cases where access is not through normal browsing but direct entry to a specific URL.
  • Detection example: If the threshold for the A.html page is set to 10, accessing by directly entering the A.html link more than 10 times is detected.
When a specific action occurs at an abnormal speed (Importance: Essential)
  • Detects when the execution time of a specific action (from start to end) occurs faster than the threshold.
  • Detection example: If the reservation process is defined as a specific action and the threshold is set to 1, it is detected when the reservation is completed in less than 1 second.

4. Circumventing Page Access (Importance: Recommended)

When access to a specific URL occurs outside of set times (Importance: Essential)
  • Detects cases where access occurs to a page that should not be accessible outside of event times.
  • Detection example: If the A.html page is set to be used only from 9 AM to 12 PM, accessing it before 9 AM or after 12 PM is detected.
Static AnalysisDetection History and Unblock