This screen displays the alerts produced by the MOREAL Anomaly Detection Engine.
Anomaly Detection alerts express suspicious behavior based on “deviations” from historical models of activity. For more information, refer to the Anomaly Detection technical article.
Activity is analysed in regular time periods (5-minute and 1-hour periods currently), which are broadly referred as time windows in this domain. For an 1-hour time window, this means that the Anomaly Detection component may raise an alert regarding abnormal activity between e.g. 3:00 and 4:00 AM. In this specific example, after 4:00 AM the Anomaly Detection component will analyse the traffic in that last hour and if it statistically deviates from the historical patterns of activity, then an alert will be raised. These historical patterns of activity are “seasonal”, which means that the Anomaly Detection component is able to differentiate what normally happens during different times of the day or different days of the week (e.g. during office or non-office hours, or during the weekend).
In order to build these historical models of activity, adequate amount of “evidence” has to be collected. In practical terms, this means that about 1-month of log data have to be collected about a specific workstation before the Anomaly Detection can safely infer whether an observed behaviour is normal or abnormal.
Currently the Anomaly Detection component only analyzes log data from “syslog” (system logging data from firewalls and UTMs). Behavioural analytics for Netflow data are planned for inclusion in the next versions.
Sample Alerts page.
An anomaly detection alert contains:
An anomaly detection alert includes, among other information, a title characterizing the type of anomaly and a message describing the reason an alert was triggered.
The alert overview page provides extra information for the produced alert, such as the time and number of occurrences, the time of detection, the involved entities, any service affected and the criticality of the alert.
Example of an Anomaly Detection alert
Along with the listed criticality, a set of additional score metrics is presented for better assessment:
Other important fields listed in the alert overview are:
110in this example means 110 connections during the last hour.
Finally, the MOREAL alert overview page provides links for navigating to views of the raw traffic and security events (button: “View relevant events”) as well as to the IP profile of the involved entity (button: “View IP Profile”).
The Anomaly detection component analyzes internal assets, networks and more specific types of activity for those entities:
The specific metrics regarding network events (TCP/UDP/ICMP network sessions, device logins, VPN requests, emails) and security events (IDS alerts, spam, firewall blocks, failed logins) related to the above entities are described in the “MOREAL Metrics” documentation.
As can be clearly concluded from the title of the alert in the previous example (“ip-service anomaly”), this is about an anomalous event related to the networking activity of a given IP in a specific service. As mentioned previously, other possible types of anomalous events are “device anomalies”, “ip anomalies” and “ip-country anomalies”.
The alert description:
[IP: 10.0.140.11, service: ldap] Unexpected number of connections in internal-traffic = 110 Expected range = [36, 66]
may be interpreted as follows:
[IP: 10.0.140.11, service: ldap]: The first part enclosed in square brackets lists the involved entity (IP: 10.103.193.178) and – in specific anomaly events – an extra attribute (currently “service” or “country”) which further specifies the type of activity that triggered this event. In this example, the traffic in
service: ldapwas examined and found to exhibit abnormal activity.
number of connections in internal-traffic: The second part of the message describes the specific metric which was monitored. For more information on the utilized metrics read the “MOREAL Metrics” documentation.
= 110: the value of the above metric that was found to be abnormal.
Expected range = [36, 66]: The typical range of values that are normally observed for the given metric and entity.
Briefly, due to historical models, MOREAL expected that the number of connections of this IP address (10.0.140.11) on this specific service (ldap) to be within 36-66. However, within the last hour, the observed number of connections was 110. According to the Anomaly Detection Inference engine, this value was considered as anomalous and therefore an alert was generated.
The anomaly detection engine may help to detect various attack scenarios including DDoS attacks, port scanning activity, brute-force attacks, worm infection and propagation, and others.
For example consider the port scanning activity: The number of unique services (i.e. port numbers) is one of the metrics analyzed by the anomaly detection engine. This number typically remains consistent during normal operation. However, in port scanning and vulnerability scanning activities it is significantly higher and alerts are generated.
Another example is that of worm propagation: Self-propagating code that spreads across a network by exploiting security flaws. In that case, there is a spike in flows traffic with no dominant destination, and usually only a dominant port. If the anomaly detection engine generates multiple alerts for the same service (i.e. “IP-service” anomalies as previously mentioned) during a specific time period, that may indicate worm propagation activity.
In general, however, Anomaly Detection is a generic tool, which may help detect even more complex and novel scenarios, like Advanced Persistent Threats (APTs), especially when combined with input from other engines like the Behavioural clustering engine.