Lancope's intrusion-detection system is an anomaly in more ways than one. The Stealthwatch M250 Version 4.2 we tested - which veers from popular signature-based IDS products with a behavior-based approach to spotting intruders called anomaly detection - can indeed spot attacks, but its overall package could use a bit more polish.

The anomaly detection engine noticed unexpected network behavior very well in our tests. For almost every attack we threw at it, the Stealthwatch box did note that something was askew with our network activity (see ). Unfortunately, in most cases, the information the appliance presented comprised extremely low-level network details, which were difficult to correlate to an exact attack. We also found some security implementation issues that could leave the box open to attack.

Any IDS based on anomaly detection monitors network traffic on an ongoing basis and looks for patterns. Patterns that are normal do not generate events. If the IDS detects abnormal traffic - such as attempts to access disallowed ports, or traffic flowing in a direction that is not expected - then it generates an event. Other products that offer anomaly detection include Enterasys Networks' Dragon and Symantec's Manhunt.

The Stealthwatch 4.2 appliance is based on a Dell PowerEdge 1650 1U, rack-mountable PC with four Gigabit Ethernet interfaces, one of which is left open for management via a Transport Layer Security-based Web interface. The device connects to a variety of infrastructure services: Syslog, Network Time Protocol, Whois (host information lookup) and DNS, used to gather event information and time stamps.

Lancope offers a central management server to control multiple Stealthwatch devices, which we did not test. Lancope says the interface is different, but event-processing capabilities are the same as found in the appliance.

Stealthwatch uses behavioral monitoring to directly generate alerts and to calculate one of three indices - concern index, threat index and file-sharing index - which evaluate whether the traffic is normal or abnormal. These indexes, which are only vaguely documented in the manual, provide some level of indication for when a severe threat is present using the concern index, when a host is being targeted by an attack using the threat index or when machines within a monitored zone appear to be performing inappropriate file sharing through some peer-to-peer tool using the file-sharing index.