Anomaly detection is not the best way to prevent virus, worm attacks

Network behavior anomaly detection does not provide a true security solution against viruses and worms. With the growing sophistication, speed and damage potential of today’s virus and worm attacks, companies need a solution that actively defends their networks.

Forum: Your thoughts and questions.

The ingredients required to mount a meaningful defense against these new and virulent attacks include speed, accuracy and the ability to actively block attacks from spreading to other machines, systems and networks.

Anomaly detection falls short in these areas and gives users a false sense of security. The approach has three main drawbacks:

• It is too slow to detect fast-spreading virus and worm attacks. Anomaly-detection vendors, by their own admission, permit attacks to affect a certain percentage of a network. This can translate into hundreds of machines being compromised before an attack is detected. In many cases, whole networks can be infected in a matter of minutes. Anomaly detection relies on network flow data, which is often reported at intervals of 15 to 45 minutes. With that kind of lag, an entire network can be brought down.
• It produces an enormous number of false positives. Anomalies can occur in a network at any time. Because anomaly detection is looking for an anomalous event rather than an attack, it is frequently plagued by time-consuming false positives. This can result in a “the boy that cried wolf” syndrome: When an actual attack is afoot, no one will respond because of all the previous false positives.
• It provides marginally effective mitigation techniques, if it provides any. With a high rate of false positives, it is perhaps a blessing that these products do not provide the option of a fully automated containment process. Because of their significant detection latency, anomaly detection response techniques are often geared toward containing widespread outbreaks through zone segmentation. This is equivalent to amputating an entire limb for an infection when a wound could have been treated earlier. A more appropriate response is to immediately and surgically contain the initial infection vector, before propagation can occur, preventing an outbreak in the first place.

Most anomaly-detection products were built for network performance monitoring and diagnostics. They weren’t designed to protect the network from zero-day attacks, targeted attacks and worm storms. Anomaly detection systems are unable to mitigate slow, stealthy and sophisticated attacks. Hackers are using this method, essentially spreading an attack over a longer time, to fly under the radar of anomaly-detection engines and other security devices.

Someday soon, anomaly-detection tools will be properly categorized as network-management and -monitoring devices rather than security solutions. To adequately protect your network, it is essential to have a real internal network-security solution that is fast and accurate, and can actively defend against new generations of virulent attacks that, sooner or later, will target your network.

Arbel is president and CEO of CounterStorm. He can be reached at gil.arbel@counterstorm.com.