There are two ways to go about it - You can identify traffic as being
anomalous by explicitly defining what normal is and comparing patterns to
that. This is a very valid way of doing it, but only in certain, limited
situations where one maps out hosts to defined services and protocols that
should be going to and coming from different resources. This should be a
narrow set of traffic definitions that pertain to critical server resources.
It is a much faster way of identifying potential issues, but does not work
for everything. But when a web server starts spitting out SQL traffic that
it shouldn't, you want to know that.
The really powerful way to go about it is to define "dimensions" to traffic
that can be quantified, or measured. Things like percentage of bandwidth
utilization, packets per second, unique destination hosts over some time
continuum, same source/destination port over some time continuum, off-net
source addresses, etc. The trick, I think, is to "layer" the processes
responsible for qualifying the traffic once it has been quantified. The
approach I use is to have the first layer process just be responsible for
identifying that something is different. That's it. That process
quantifies the data, packages up the relevant variables regarding the data,
and passes it off to the qualification layer. Basically, it says "Hey,
there is something different about this traffic. I have no idea what it is,
and I really don't care, but here is an aggregate summation of what I think
you need in order to figure that out."
Then it goes back to looking at the traffic, while the qualification layer
goes about finding out exactly what is special or anomalous about the
traffic. If it can come up with something, it passes it on to the response
layer, and so on. I believe that trusted modal processes in layers can be
far more efficient for a real-time anomalous traffic detection system than
any linear process that currently exist.
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
http://www.ISAserver.org
Can you give a thumbnail explanation of how you modeled nomalous traffic?
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Friday, December 23, 2005 1:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Christmas
http://www.ISAserver.org
Yes, it is indeed more complex that one would initially consider. When I was building the framework for Strikeback, the first response model was a simple signature-based system, just like a static access-list. The second generation response model was based on a concept of "anomalous traffic detection and response," where my goal was to be able to detect variants in traffic patterns, identify (or better, "quantify") the differentiation, extract out relevant details based on "normal" traffic metrics, and to then dynamically generate a rule for response. Just getting to where one could detect anomalous traffic was challenging.
I designed an architecture where the overall process was driven by layered role-based-modals, each responsible for and dedicated to a particular piece of the analysis with appropriate channels between layers for data exchange. I wouldn't mind sharing the architecture with your team if you think it might be mutually beneficial.
t
----- "I may disapprove of what you say, but I will defend to the death your right to say it."
----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, December 23, 2005 11:12 AM
Subject: [isalist] RE: Christmas
> http://www.ISAserver.org
>
> You're kidding, but there's been some discussion about the
possibility
> to "evaluate this pattern and derive a policy from it".
>
> It's far more complex than you might imagine, especially
when all you
> get from logs is what happened the last time.
>
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
>
> -----Original Message-----
> From: Joseph Danielsen [mailto:JDanielsen@xxxxxxxxxxxxxxxx]
> Sent: Friday, December 23, 2005 10:22 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Christmas
>
> http://www.ISAserver.org
>
> Tom:
>
> Do you thing MS would come out with ISA 2006 which will obey voice
> commands? Kind of a SBS wizard fashion with voice recognition!!!!
>
> "Hey ISA - Allow email and RPC/Http now" etc.
>
> Joseph F. Danielsen, MCSA-Messaging, MCP
> Network Blade Inc.
> 49 Marcy Street
> Somerset, NJ 08873
> (732) 213-0600
> www.NetworkBlade.Com
>
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Friday, December 23, 2005 1:18 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] Re: christmas
>
> http://www.ISAserver.org
>
> Merry Christmas to all!
>
> Its been a great year and I've had a great time on this
list. Made a lot
> of new friends and learned a lot of new stuff, which is
what this is all
> about. Thanks to everyone for their participation and support (both
> technical and emotional :) and I'm looking forward to a
great 2006, and
> maybe even a new ISA firewall product in that year (cross
my fingers).
>
> This is the first year in over a decade that actually
forced myself to
> take time off. So this year Thor is going to have do my share of the
> work that's usually done at this time of year :)))
>
> Thanks!
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Thursday, December 22, 2005 11:23 PM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] Re: christmas
>>
>> http://www.ISAserver.org
>>
>> Merry XMas to you guys as well. I, unfortunately, must work
>> through the
>> XMas weekend... Funny thing is I'll be in the air more than
>> on the ground
>> for 3 days :(
>>
>> t
>>
>> -----
>> "I may disapprove of what you say,
>> but I will defend to the death your
>> right to say it."
>>
>>
>> ----- Original Message ----- >> From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
>> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
>> Sent: Thursday, December 22, 2005 3:09 PM
>> Subject: [isalist] christmas
>>
>>
>> http://www.ISAserver.org
>>
>> Dont all jump at once to wish everyone a merry christmas will ya!
>>
>> Enjoyed the list this year,, hope everyone has a great
christmas.. be
>> safe and merry
>>
>> Greg
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as:
>> thor@xxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: tshinder@xxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
Discussion List as:
> jdanielsen@xxxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx