Anomaly Detection and Internal Network Security Jose Nazario, Ph.D. Arbor Networks Proprietary and Company Confidential Information Your role is to protect the network Proprietary and Company Confidential Information External barriers arent enough Proprietary and Company Confidential Information Your perimeter is porous to threats Proprietary and Company Confidential Information Discover the wolf in sheeps clothing Proprietary and Company Confidential Information Anomaly Detection helps you find the things that dont belong Proprietary and Company Confidential Information GOOD BAD Proprietary and Company Confidential Information Characterize the offending source Proprietary and Company Confidential Information Statistical Protocol Relational Proprietary and Company Confidential Information Statistical Anomaly Detection Based on traffic rates Endpoints are network blocks Traffic by time and service Useful for DDoS attack detection Statistical expectations and confidence Proprietary and Company Confidential Information Expected = Recent past + Average distant past Statistical variance Allows for smooth changes Disallows abrupt changes Proprietary and Company Confidential Information BPS Time Proprietary and Company Confidential Information An example of abrupt change Proprietary and Company Confidential Information Another abrupt change Proprietary and Company Confidential Information Protocol-Based Detection Based on protocol behaviors Very generic, requires a well understood protocol Compare protocol observations with expectations Useful for very well controlled protocols Works for various layers: network, applications, etc Proprietary and Company Confidential Information From To Subject Length-based overflow against clientheader attack Proprietary and Company Confidential Information Relational-Based Detection Uses inter-host relationships Roles (server, client, services) are usually static Examine network traffic and peers Changes in roles indicate odd events Proprietary and Company Confidential Information Catalog Relationships Record every packet, flow, connection, and transaction between every host on the network. Group Automatically By observing incoming and outgoing links, similar protocols spoken, and proximity to other hosts, generate groupings. Generalize Behavior Discover which behaviors are common to the entire group, and apply to every member of the group. Proprietary and Company Confidential Information FTP SMTP HTTP LDAP Service based relationships Proprietary and Company Confidential Information Mail-based viruses Rogue AP Unauthorized connections Proprietary and Company Confidential Information Inside, they dont use exploits Proprietary and Company Confidential Information Health Care Student Records Web Gateway Not all traffic is authorized Proprietary and Company Confidential Information Catalog service usage over time Proprietary and Company Confidential Information Detect the threat inside the chaos Proprietary and Company Confidential Information HTTP MS SQL Selectively isolate the threat Proprietary and Company Confidential Information Anomaly detection helps you identify real threats You can quickly react to specific threats Minimize the disruption and response time Protect core assets while offering service Proprietary and Company Confidential Information Thank you