Lancope is now part of Cisco Learn More About Cisco

School of NBAD: NBAD Host Anomaly Detection

Charles Herring

Part 4: NBAD Host Anomaly Detection

Anomaly detection in NBAD is similar to behavioral detection in that it relies on counters on the monitored hosts. It differs from behavioral detection in that it monitors against established baseline/trend data and not programmatic algorithms. Another way of saying this is that behavioral detection looks for known bad traffic and anomaly detection looks for any traffic that is not known good. To accomplish this, anomaly detection requires the creation and maintenance of baselines in addition to the host profiles and counters created in behavioral detection.

Data Exfiltration Monitoring

One of the most effective means of host anomaly detection is monitoring for data exfiltration. When it can be determined how much data a host of a certain type (desktop, administrator, server, etc.) is expected to send out of the network a baseline can be established. Each host object of that type can then be assigned a counter that increments when the host sends data out of the network. When the amount established in the baseline (threshold) is exceeded by the counter an alarm for “Suspect Data Loss” can be generated. Note the loss of data outlined below.

Suspect Data Loss

Suspect Data Loss Quick View

Data Hoarding Monitoring

In the same fashion that baselines can be established for sending data from the host to the Internet, baselines and counters can be created to look for abnormal downloads from internal data stores to an internal host. This “Data Hoarding” alarm is particularly effective in NBAD because of the deep network visibility provided by NetFlow. Note: the host below that stockpiled abnormal amounts of data from around the network.

The host stockpiled abnormal amounts of data

Connection Saturation Monitoring

Baselines can also be established for the number of connections a host creates to other hosts. If a host type is expected to have less than 30 open connections and is observed having several thousand connections open instead, there is valid reason for concern.

Wrap Up

By creating thresholds for acceptable behavior on different types of hosts across the network, NBAD can alert security analysts to advanced attacks or insiders threats. For more details on using NBAD to monitor for advanced insider threats see: Dealing with Insider Threats

Read part 5 of the School of NBAD Series here.


More from this contributor:

In part one of this series , I discussed the incident response needs of a NetFlow-based security solution. However necessary those functions are,...
As more organizations fall victim to large-scale data breaches and advanced persistent threats, digital security is becoming a higher priority for...
Recent InfoSec news continues to show the relentless attacks against academic networks. This problem is not new, however. In 1999, Dr. John Copeland...