Hello,
That was one of the problems that Vern Paxson described, but I was hoping to use the anomaly detector in a different way in the end. Maybe I should not use the word anomaly ......
Originally I was thinking about it like this, lets say we have a small office of 50 people. Now everyone in the office has a static IP and IP stealing can be monitored using a simple arp watch program.
Now on a normal day I would be willing to bet that the network behavior is relatively the same. Especially if you have the following:
Proxy server for HTTP, FTP (if needed)
The above would make it look like everyone is always hitting those to servers.
Now if we used the anomaly detector to detect changes related to a person network usage but not related to the network load.
So for example if Mr. Smith has an IP of X.X.X.25 and everyday he does X but then one day Mr. Smith does Y - we would have to see how Y relates to X.
A better example would be, at work I usually SSH into most of the servers daily for one reason or another. My boss how ever on a normal bases would not. So if one day his box did start makes SSH connections that would be an anomaly.
Now we are not saying that this is a break in attempt or some kind of attack. But more of a "user x has change his behavior ... why?"
I do understand you point, this type of setup would only work on a controlled network and every time a new service or network change occurred the anomaly detector would need to resample the data.
Anyways ... I am not sure how this will work yet.
Michael.
bogi wrote:
Hi
I see what you are talking about now ...
Bar snort, where you may build a special filter to detect some of what you say, it would be an intriguing task to be able to trigger an anomaly alert when traffic on a certain port increases or changes significantly. I doubt it would have any usefulness in anything but the most stable production-style networks, and in that situation a trained eye and a good mrtg report would likely result in anomaly detection. I can't see it being useful in a small home-like network, any one of your family or s.b. member can fire-up a skype on an odd port and create an instant peek on some graphs triggering an anomaly. Needless to say, monitoring a server-farm like that would likely detect an intrusion, but then so will snort and any other ids ... just my 0.02 CAD.
Cheers
Szemir
On February 7, 2005 22:59, Niels Voll wrote:
It's an interesting idea to do anomaly detection for a small network. Arguably it's an easier problem to solve. For example, if there's a dramatic increase in traffic to a certain port within a small network or coming from a small network onto the public network, there's a chance that something might be amiss (e.g. one of my machines is compromised). I have never looked at software, which would monitor a network and for example keep statistical track of traffic by port numbers. I'm assuming it exists, and that it might be neat to build something onto that, so that a finished product might be useful to non-experts on small networks.
It's a really intriguing idea ...
Michael Gale wrote:
Hello,
No .. you understood me correctly. I am researching it at the moment as only a enthusiast but am thinking about trying to create a small little app that could do network anomaly detection on a small network.
From what I have gathered (which is not much at the moment) network anomaly detection has only really been tested and used in large scale academic networks.
Some papers describe that it has been tested / used on Internet backbones and other large networks and involve monitoring internet traffic.
Most of them tend to agree thought Network Anomaly Detection can not work for a few reasons.
1. By statistically studying the network traffic of any given network it can be noted that there is to much variation to statistically monitor the network.
2. In order to provide a bases for the analyzes you would need to train the anomaly detector on a clean network. This could be a problem.
The last point, it seems so far that most of the documentation I have found is based on using anomaly detection as part of a IDS. Which generates false alarms because not ever anomaly is an attack.
This is why I think it would be possible to create anomaly detector which does only that. Graph and find anomalies (changes) in the network.
So I was curious if any one has had any experience with this before. Insight or documentation would be a great help.
Michael.
Niels Voll wrote:
isn't network anomaly detection typically something, which can only be done on rather large networks? In addition, wouldn't one need management access (at least monitoring) to not only servers but especially to large numbers of routing devices (or have NIDS devices listening on a ton of network segments?).
Or did I misunderstand what you meant by anomaly detection? In what context are you researching (e.g. academic, enthusiast, small business, enterprise, ISP, govt)?
...Niels
Michael Gale wrote:
I'll take the lack of responses a no.
Thanks anyways.
Michael.
Michael Gale wrote:
Hello,
I am fairly new to the list :)
Does any one here have experience with a NIDS (Network Intrusion Detection System) that uses a form of network anomaly detection ? or has any one here used any commercial software that does or claims to do network anomaly detection ?
The reason I am asking is I am trying to research the current topic and have found a lot of view pro and against the method.
I am looking at network anomaly detection for the purpose of only alerting as to what has changed on the network and not as a security measure.
Thanks.
Michael.
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
