Anomaly Detection Overview
The IPS anomaly detection feature is a statistical anomaly-based system. Its purpose is to identify and prevent scanning network worms. A scanning network worm spreads by blindly scanning a network to find victims and then compromising those victims through network attacks. These attacks are typically against exposed network services.
The method that anomaly detection uses is quite amazing. It will first dynamically learn the network patterns for a given network or even specific segments of your network. After it has learned a baseline, it can then identify yet unknown worms as they attempt to spread through the network based on scanning activity that is above the baseline. With the ability to identify specific infected hosts that are scanning and looking for the next victim, the IPS can alert us when worm activity is going beyond individual infections and trying to grow.
Anomaly detection focuses on scans from individual computers or devices that are trying to infect other devices. Worms that propagate through email, instant messaging, or file sharing could be identified by other IPS signatures, but not anomaly detection specifically.
Scanning Worm Details
One of the things that differentiates a worm from a typical virus is that a worm is selfpropagating.
A worm will attack a vulnerable host, infect it, and then use that host as a
base station to discover and attack other vulnerable hosts. Before it can infect another
host, it needs to find the next victim. The worm finds other hosts by scanning the network
looking for a vulnerability. A scanning worm locates vulnerable hosts by generating a list
of IP addresses to probe and then contacts the hosts, through scanning. It is this scanning
behavior that the anomaly detection system is using to identify the propagation of worms
on the network.
The anomaly detection feature can detect and react to the following situations:
■ When a single worm-infected source comes on the network and starts scanning for other victims
■ When multiple hosts are infected and the network starts on its initial path to a major infection of multiple network devices that could be catastrophic
Anomaly Detection Components
■ For TCP connections, a scan event means a nonestablished TCP connection. This is simply where a TCP synchronization request has been sent and there’s been no TCP acknowledgment within 15 seconds. A scanner is very likely not going to get an acknowledgment to all of its TCP synchronization requests because it is doing blind scanning; it doesn’t know which hosts have which services, and that’s what it’s trying to find out. In its scans, it’s very likely to attempt to connect to devices or IP addresses that don’t even exist on the network.
■ For UDP, there are no acknowledgment or synchronization requests. This makes it less accurate to detect compared to TCP. As a result, a scan event for UDP consists of one-way UDP flows where UDP packets have been sent and there’s been no return UDP packet for at least 15 seconds. An infected host that scans using UDP will be generating many unidirectional flows on the same destination port for multiple IP addresses, because it again might not know exactly which services are available on which hosts.
■ For other protocols besides TCP or UDP, a scan consists of multiple unidirectional flows for a particular protocol, without any return traffic for 15 seconds.
Histograms
We’ve identified what classifies a device as a scanner; it’s when the number of scan events exceeds the threshold. That identifies a single host as a scanner. But what if we have multiple scanners that might lead to a bigger problem: What if the worm is propagating? The answer to this challenge is the histogram.
A histogram is a chart representing a frequency distribution. Anomaly detection builds a separate histogram for each configured service in a zone.
There are three zones by default:
- Internal zone
- External zone
- Illegal zone
The histograms for each of the zones track the source and destination IP addresses. Histograms identify tolerable thresholds for scans, such as up to ten hosts issuing 20 scans each or up to 100 hosts issuing two scans each. When scanning goes above any of the thresholds, the anomaly detection interprets this as a worm. The intent here is to identify whether we have a worm that’s propagating across our network. Fortunately, the anomaly detection system can dynamically learn from the live network what the baseline should be, and then it looks for anomalies from that baseline (hence the term anomaly detection).
Zones
Learning
When the IPS system is put in place, it will initially conduct a learning process to derive a set of scanner and histogram thresholds based on what it believes to be the normal network; this learning mode is usually the first 24 hours after the IPS appliance has been put in place. After learning mode is completed, the sensor will move into detection mode. In detection mode, the sensor still builds statistical network profiles and looks for worm attacks. If the sensor believes there is an attack in process, it will temporarily suspend learning so that the scans that are occurring during the attack won’t become part of a modified knowledge base or baseline. It is recommended to run the IPS in learning mode for longer than 24 hours, preferably a full week, to get a representative sampling of data.
Configuring Anomaly Detection
You will also need to manually configure a few parameters including the internal and illegalzone addresses. Doing this will assist in minimizing false positives and false negatives. By configuring source and destination IP addresses that the anomaly detection system should ignore in its calculations, you can avoid a network management station from being included in or triggering histograms and alerts. You can optionally set scheduler parameters to specify when the sensor is going to write the current knowledge base to local storage and specify the default learning interval. By default, it’s every 24 hours at 10 a.m.
Комментариев нет:
Отправить комментарий