Network modeling detects anomalies

New relational network-modeling systems detect security threats by recognizing when network traffic patterns vary from the norm.

As network attacks become increasingly sophisticated and frequent, it has become nearly impossible for security administrators to keep pace with every exploit, worm, virus and denial-of-service attack. To address this issue, new relational network-modeling systems detect security threats by recognizing when network traffic patterns vary from the norm.

Implemented through software, relational network modeling analyzes the role of systems on a network, examining all inter-host relationships and communications. Collection devices placed in the network monitor traffic directly, either by capturing raw packets or from flow exports built by routers and switches.

The data is aggregated centrally, and the relational network-modeling system processes it to find the common patterns of normal network traffic, including patterns for certain times during the workweek. By gathering data directly from a network, the model system accurately represents the network’s behavior from various observation points, including the ability to sort and graph by service, client and server.

This approach assumes that hosts generally will have a set of behaviors they rarely drift from so that, for example, Web clients always will be Web clients, not Web servers. For instance, Host A is a client of Host E using the HTTP protocol, but Host A talks to Host D using the DNS protocol. And Host D does not suddenly start behaving as an HTTP server for Host A under normal circumstances.

After a relational network-modeling system gathers data, it builds a model that administrators can use to define and enforce a policy. When deviations from acceptable use occur in the network, security alerts warn administrators of the change, a pro-cess known as anomaly detection.

Administrators can use relational network-modeling data to quickly characterize a worm’s behavior and quarantine traffic specific to the worm’s propagation without disrupting normal business traffic. Administrators then can enforce the normal network model, using internal subnet firewalls, router and switch access control list statements, and virtual LAN ACL statements to create exceptions for previously accepted, or normal, traffic and deny all other traffic. Relational network-modeling systems helps generate these ACL statements and push them out to network control plane switches, routers and firewalls.

Taking this a step further, administrators can use the relational network model to protect their networks before a worm or attack infects the first host. This is accomplished by using the model generated during the policy-creation process to strictly enforce acceptable network behavior. Such preemptive acts can be taken the minute a new vulnerability is made public and before hackers write worms to capitalize on it.

Detecting anomalies using relational modeling provides real-time worm detection without requiring signatures or advance knowledge of an attack. Administrators can react much faster and more precisely using relational network modeling than a team of network operators, who today must turn off individual machines, patch them when a signature update is available, and then turn them back on. The result is networks that are made more secure by proactively stopping attacks without disrupting normal business operations.

Nazario is a security researcher for Arbor Networks. He can be reached at jose@arbor.net.