Anomaly Detection and Internal Network Security Jose Nazario, Ph.D. Arbor Networks

Proprietary and Company Confidential Information Your role is to protect the network

Proprietary and Company Confidential Information External barriers aren’t enough

Proprietary and Company Confidential Information Your perimeter is porous to threats

Proprietary and Company Confidential Information Discover the wolf in sheep’s clothing

Proprietary and Company Confidential Information Anomaly Detection helps you find the things that don’t belong

Proprietary and Company Confidential Information GOOD BAD

Proprietary and Company Confidential Information Characterize the offending source

Proprietary and Company Confidential Information Statistical Protocol Relational

Proprietary and Company Confidential Information Statistical Anomaly Detection  Based on traffic rates  Endpoints are network blocks  Traffic by time and service  Useful for DDoS attack detection  Statistical expectations and confidence

Proprietary and Company Confidential Information Expected = Recent past + Average distant past  Statistical variance Allows for smooth changes Disallows abrupt changes

Proprietary and Company Confidential Information BPS Time

Proprietary and Company Confidential Information An example of “abrupt change”

Proprietary and Company Confidential Information Another “abrupt change”

Proprietary and Company Confidential Information Protocol-Based Detection  Based on protocol behaviors  Very generic, requires a well understood protocol  Compare protocol observations with expectations  Useful for very well controlled protocols  Works for various layers: network, applications, etc

Proprietary and Company Confidential Information From To Subject Length-based overflow against client header attack

Proprietary and Company Confidential Information Relational-Based Detection  Uses inter-host relationships  Roles (server, client, services) are usually static  Examine network traffic and peers  Changes in roles indicate odd events

Proprietary and Company Confidential Information Catalog Relationships Record every packet, flow, connection, and transaction between every host on the network. Group Automatically By observing incoming and outgoing links, similar protocols spoken, and proximity to other hosts, generate groupings. Generalize Behavior Discover which behaviors are common to the entire group, and apply to every member of the group.

Proprietary and Company Confidential Information FTP SMTP HTTP LDAP Service based relationships

Proprietary and Company Confidential Information Mail-based viruses Rogue AP Unauthorized connections

Proprietary and Company Confidential Information Inside, they don’t use exploits

Proprietary and Company Confidential Information Health Care Student Records Web Gateway Not all traffic is authorized

Proprietary and Company Confidential Information Catalog service usage over time

Proprietary and Company Confidential Information

Detect the threat inside the chaos

Proprietary and Company Confidential Information HTTP MS SQL Selectively isolate the threat

Proprietary and Company Confidential Information  Anomaly detection helps you identify real threats  You can quickly react to specific threats  Minimize the disruption and response time  Protect core assets while offering service

Proprietary and Company Confidential Information Thank you