Network behavior anomaly detection

Last updated

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures. [1]

Contents

NBAD is the continuous monitoring of a network for unusual events or trends. NBAD is an integral part of network behavior analysis (NBA), which offers security in addition to that provided by traditional anti-threat applications such as firewalls, intrusion detection systems, antivirus software and spyware-detection software.

Description

Most security monitoring systems utilize a signature-based approach to detect threats. They generally monitor packets on the network and look for patterns in the packets which match their database of signatures representing pre-identified known security threats. NBAD-based systems are particularly helpful in detecting security threat vectors in two instances where signature-based systems cannot: (i) new zero-day attacks, and (ii) when the threat traffic is encrypted such as the command and control channel for certain Botnets.

An NBAD program tracks critical network characteristics in real time and generates an alarm if a strange event or trend is detected that could indicate the presence of a threat. Large-scale examples of such characteristics include traffic volume, bandwidth use and protocol use.

NBAD solutions can also monitor the behavior of individual network subscribers. In order for NBAD to be optimally effective, a baseline of normal network or user behavior must be established over a period of time. Once certain parameters have been defined as normal, any departure from one or more of them is flagged as anomalous.

NBAD technology/techniques are applied in a number of network and security monitoring domains including: (i) Log analysis (ii) Packet inspection systems (iii) Flow monitoring systems and (iv) Route analytics.

NBAD has also been described as outlier detection, novelty detection, deviation detection and exception mining. [2]

Commercial products

See also

Related Research Articles

<span class="mw-page-title-main">Denial-of-service attack</span> Type of cyber-attack

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The range of attacks varies widely, spanning from inundating a server with millions of requests to slow its performance, overwhelming a server with a substantial amount of invalid data, to submitting requests with an illegitimate IP address.

<span class="mw-page-title-main">Packet analyzer</span> Computer network equipment or software that analyzes network traffic

A packet analyzer is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capture is the process of intercepting and logging traffic. As data streams flow across the network, the analyzer captures each packet and, if needed, decodes the packet's raw data, showing the values of various fields in the packet, and analyzes its content according to the appropriate RFC or other specifications.

An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically either reported to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Snort (software)</span> Open-source intrusion prevention system

Snort is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) created in 1998 by Martin Roesch, founder and former CTO of Sourcefire. Snort is now developed by Cisco, which purchased Sourcefire in 2013.

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

NetFlow is a feature that was introduced on Cisco routers around 1996 that provides the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, a network administrator can determine things such as the source and destination traffic, class of service, and the causes of congestion. A typical flow monitoring setup consists of three main components:

<span class="mw-page-title-main">Argus – Audit Record Generation and Utilization System</span>

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years..

Zeek is a free and open-source software network analysis framework. Vern Paxson began development work on Zeek in 1995 at Lawrence Berkeley National Lab. Zeek is a network security monitor (NSM) but can also be used as a network intrusion detection system (NIDS). The Zeek project releases the software under the BSD license.

<span class="mw-page-title-main">Sourcefire</span> American computer security company

Sourcefire, Inc was a technology company that developed network security hardware and software. The company's Firepower network security appliances were based on Snort, an open-source intrusion detection system (IDS). Sourcefire was acquired by Cisco for $2.7 billion in July 2013.

Flowmon is a name for monitoring probe which is the result of academic research activity on CESNET and also a name for a commercial product which is marketed by university spin-off company Flowmon Networks.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Security information and event management (SIEM) is a field within computer security that combines security information management (SIM) and security event management (SEM) to enable real-time analysis of security alerts generated by applications and network hardware. SIEM systems are central to security operations centers (SOCs), where they are employed to detect, investigate, and respond to security incidents. SIEM technology collects and aggregates data from various systems, allowing organizations to meet compliance requirements while safeguarding against threats.

Lastline, Inc. is an American cyber security company and breach detection platform provider based in Redwood City, California. The company offers network-based security breach detection and other security services that combat malware used by advanced persistent threat (APT) groups for businesses, government organizations and other security service providers. Lastline has offices in North America, Europe, and Asia.

Vectra AI, Inc. is a cybersecurity company that uses AI for hybrid attack detection, investigation, and response (NDR) solutions. The company was established in 2012 and operates in 113 countries from its San Jose, California headquarters.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

<span class="mw-page-title-main">Artificial intelligence for video surveillance</span> Overview of artificial intelligence for surveillance

Artificial intelligence for video surveillance utilizes computer software programs that analyze the audio and images from video surveillance cameras in order to recognize humans, vehicles, objects, attributes, and events. Security contractors program the software to define restricted areas within the camera's view and program for times of day for the property being protected by the camera surveillance. The artificial intelligence ("A.I.") sends an alert if it detects a trespasser breaking the "rule" set that no person is allowed in that area during that time of day.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

Flowmon Networks is a privately held technology company which develops network performance monitoring and network security products utilizing information from traffic flow. Its Flowmon product series consists of network monitoring probes, collectors for flow data analysis and software modules which extend probes and collectors by analytical features for network behavior anomaly detection, network awareness application performance management, DDoS detection and mitigation and traffic recording.

Extended detection and response (XDR) is a cybersecurity technology that monitors and mitigates cyber security threats.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.

References

  1. Hein, Daniel (2019-05-15). "Network Behavior Analysis and Anomaly Detection: The Basics". Best Network Monitoring Vendors, Software, Tools and Performance Solutions. Retrieved 2022-06-27.
  2. Ahmed, Mohiuddin (2016). "A survey of network anomaly detection techniques" (PDF). Journal of Network and Computer Applications. 60: 19–31. doi:10.1016/j.jnca.2015.11.016 via Elsevier.
  3. "Palo Alto Networks Cortex XDR 3.0 automates threat detection and investigation across cloud environments". Help Net Security. 2021-08-24. Retrieved 2022-08-12.
  4. Daws, Ryan (2022-03-10). "Darktrace adds 70 ML models to its AI cybersecurity platform". AI News. Retrieved 2022-08-12.
  5. "DDoS Security & Protection Software: Secure Your Network".
  6. "Arbor DDoS Solutions – NETSCOUT". NETSCOUT.
  7. "How to block online threats and ransomware attacks with Cisco Stealthwatch". Business Review (in Romanian). 2019-01-23. Retrieved 2022-08-24.
  8. Heath, Thomas (2012-09-23). "Tenable enters partnership with In-Q-Tel". Washington Post. ISSN   0190-8286 . Retrieved 2022-09-13.
  9. "ExtraHop Reveal(x) 360 for AWS detects malicious activity across workloads". Help Net Security. 2022-03-24. Retrieved 2022-08-18.
  10. "Flowmon ADS – Kyberbezpečnostní nástroj pro detekci nežádoucích anomálií".
  11. Whittaker, Zack (2020-06-04). "VMware acquires network security firm Lastline, said to lay off 40% of staff". TechCrunch. Retrieved 2022-10-11.
  12. Overly, Steven (2012-10-29). "Opnet Technologies to be bought for $1B". Washington Post. Retrieved 2022-08-18.
  13. Snyder, Joel (2008-01-21). "How we tested Sourcefire's 3D System". Network World. Retrieved 2022-09-13.
  14. Ot, Anina (2022-03-25). "How Endpoint Protection is Used by Finastra, Motortech, Bladex, Spicerhaart, and Connecticut Water: Case Studies". Enterprise Storage Forum. Retrieved 2022-10-06.
  15. "GreyCortex | Advanced Network Traffic Analysis". www.greycortex.com. Retrieved 2016-06-29.
  16. Hageman, Mitchell (2022-09-05). "Vectra AI attributes significant growth to expansion and new innovations". IT Brief Australia. Retrieved 2022-09-20.
  17. "NetFlow Traffic Analyzer | Real-Time NetFlow Analysis - ManageEngine NetFlow Analyzer". www.manageengine.com. Retrieved 2022-09-20.
  18. Goled, Shraddha (2021-04-03). "Hackers Are Having A Field Day Post Pandemic: Praveen Jaiswal, Vehere". Analytics India Magazine. Retrieved 2021-05-17.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.