Behavior analysis puts traffic in perspective

It’s never been more critical for network and security managers to acquire a deep insight into the traffic flowing through their networks. 

Whether it’s because of increased regulatory demands, the emergence of more-targeted attacks or the latest stealth techniques employed by malware authors, they have to identify and block traditional attacks and spot the malicious traffic and new attacks that fly below the radar of traditional firewalls, intrusion-detection and -prevention systems, and antimalware technologies.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

It’s never been more critical for network and security managers to acquire a deep insight into the traffic flowing through their networks. 

Whether it’s because of increased regulatory demands, the emergence of more-targeted attacks or the latest stealth techniques employed by malware authors, they have to identify and block traditional attacks and spot the malicious traffic and new attacks that fly below the radar of traditional firewalls, intrusion-detection and -prevention systems, and antimalware technologies.

Click to see: Using behavior analysis to optimize security

To stop malicious activity, the security technologies most widely deployed — antivirus software, IDS/IPSes and firewalls — depend on lists of known patterns or static rule sets. Although these signature-based defense systems are essential components of any security arsenal, organizations would benefit from being able to identify the stealthy and sophisticated attacks such systems miss. Increasingly popular are network behavior analysis (NBA) systems, which study and learn normal network flows so they can identify anomalous and potentially malicious traffic, even when there’s no signature or a rule set to block it.

Generally, NBA technologies build a baseline of the normal activity for each host connected to the network by capturing Ethernet frames during the initial weeks of deployment (and whenever a new host is added to the network). The information collected from hosts and network gear includes such behavioral indicators as how many SYNs a device sends and receives, its normal rates of bits and packets per second, the total number of bytes sent during a 24-hour period, and the ports and services each host offers on the network.

From this baseline, the NBA system constructs profiles of dozens of different attributes and acceptable system behaviors, and establishes tolerance levels. Then, whenever a device’s activity breaches an established tolerance level, the system alerts network and security managers. For instance, when a host receives 20,000 TCP SYNs in a five-minute period, or when a Web server that’s been using only Port 80 suddenly opens an FTP session, managers might want to know about this kind of abnormal activity.

Besides behavioral baselining, NBA systems use pattern matching to identify traffic that’s behaving badly. After all, the system doesn’t need to learn certain activities — scanning activity from an unauthorized host, for example — to know they are bad. The same is true for certain internal connections to the Internet. An NBA system would identify callback channels from an internal host out to a botnet controller because they’re unique on the network.

Together, pattern matching and behavioral analysis identify anomalous traffic and alert administrators for further investigation. Over time, the system becomes more accurate because the baseline information is fed back to the algorithms, which in turn grow more intelligent from the historical information they add to their analysis.

Once a history of network data and traffic behavioral analysis has been established, network administrators can use that repository to spot and correct upcoming service interruptions before they affect overall network performance. In fact, intelligence gathered by the NBA system lets administrators see the impact of any unexpected network event from anywhere within their network.