Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

Anomaly detection alerts

This screen displays the alerts produced by the MOREAL Anomaly Detection Engine.

Anomaly Detection alerts express suspicious behavior based on “deviations” from historical models of activity. For more information, refer to the Anomaly Detection technical article.

Activity is analysed in regular time periods (5-minute and 1-hour periods currently), which are broadly referred as time windows in this domain. For an 1-hour time window, this means that the Anomaly Detection component may raise an alert regarding abnormal activity between e.g. 3:00 and 4:00 AM. In this specific example, after 4:00 AM the Anomaly Detection component will analyse the traffic in that last hour and if it statistically deviates from the historical patterns of activity, then an alert will be raised. These historical patterns of activity are “seasonal”, which means that the Anomaly Detection component is able to differentiate what normally happens during different times of the day or different days of the week (e.g. during office or non-office hours, or during the weekend).

In order to build these historical models of activity, adequate amount of “evidence” has to be collected. In practical terms, this means that about 1-month of log data have to be collected about a specific workstation before the Anomaly Detection can safely infer whether an observed behaviour is normal or abnormal.

Currently the Anomaly Detection component only analyzes log data from “syslog” (system logging data from firewalls and UTMs). Behavioural analytics for Netflow data are planned for inclusion in the next versions.

Sample Alerts page.

An anomaly detection alert contains:

  • A title characterizing the type of anomaly (device, ip, ip-service, ip-country)
  • A timestamp which indicates when the underlying activity occurred
  • The organization the monitored entity belongs to
  • The device name the monitored entity is connected to
  • The alert description that provides a detailed overview of the alert including the specific metric that triggered the alert, the (unexpected) current value, the involved entity and the typical range of values that are normally observed for the given metric and entity
  • A color-coded severity indicator based on a score computed from the confidence, the risk level and the collected evidence for this alert

Alert details page

An anomaly detection alert includes, among other information, a title characterizing the type of anomaly and a message describing the reason an alert was triggered.

The alert overview page provides extra information for the produced alert, such as the time and number of occurrences, the time of detection, the involved entities, any service affected and the criticality of the alert.

Example of an Anomaly Detection alert

Along with the listed criticality, a set of additional score metrics is presented for better assessment:

  • Threat Risk Indicator : A proprietary score by MOREAL indicating a risk level, confidence and the amount of evidence in a security event.
  • Risk : The associated risk with this alert
  • Confidence : The confidence of the Anomaly Detection engine for the validity of this alert.

Other important fields listed in the alert overview are:

  • Time window : The length of the time period that the measurements were recorded (currently either “1 hour” or “5 minutes”). Specifically, the value 110 in this example means 110 connections during the last hour.
  • Occurred at : The specific time window with the exact starting and ending time that the measurements were recorded (characterizing the detected abnormal behaviour).
  • Detected at : The exact time when the Anomaly Detection engine detected this potential threat.
  • First notification : The exact time when MOREAL created this alert for the first time.
  • Last notification : The exact time when MOREAL last updated this alert (if there are more than one occurrences of the same event).

Finally, the MOREAL alert overview page provides links for navigating to views of the raw traffic and security events (button: “View relevant events”) as well as to the IP profile of the involved entity (button: “View IP Profile”).

Monitored entities

The Anomaly detection component analyzes internal assets, networks and more specific types of activity for those entities:

  • Network and Security devices : activity in a network as a whole (Device anomalies)
  • Assets : activity and behavior of internal IPs (IP anomalies)
  • Services : activity of internal IPs in specific services (IP-Service anomalies)
  • Geolocation : communication of internal IPs with entities in specific countries (IP-country anomalies)

The specific metrics regarding network events (TCP/UDP/ICMP network sessions, device logins, VPN requests, emails) and security events (IDS alerts, spam, firewall blocks, failed logins) related to the above entities are described in the MOREAL Metrics” documentation.

How to interpret an Anomaly Detection alert

As can be clearly concluded from the title of the alert in the previous example (“ip-service anomaly”), this is about an anomalous event related to the networking activity of a given IP in a specific service. As mentioned previously, other possible types of anomalous events are “device anomalies”, “ip anomalies” and “ip-country anomalies”.

The alert description:

[IP: 10.0.140.11, service: ldap] Unexpected number of connections in internal-traffic = 110 
Expected range = [36, 66] 

may be interpreted as follows:

  • [IP: 10.0.140.11, service: ldap] : The first part enclosed in square brackets lists the involved entity (IP: 10.103.193.178) and – in specific anomaly events – an extra attribute (currently “service” or “country”) which further specifies the type of activity that triggered this event. In this example, the traffic in service: ldap was examined and found to exhibit abnormal activity.
  • number of connections in internal-traffic : The second part of the message describes the specific metric which was monitored. For more information on the utilized metrics read the MOREAL Metrics” documentation.
  • = 110 : the value of the above metric that was found to be abnormal.
  • Expected range = [36, 66] : The typical range of values that are normally observed for the given metric and entity.

Briefly, due to historical models, MOREAL expected that the number of connections of this IP address (10.0.140.11) on this specific service (ldap) to be within 36-66. However, within the last hour, the observed number of connections was 110. According to the Anomaly Detection Inference engine, this value was considered as anomalous and therefore an alert was generated.

Malicious activity detection examples

The anomaly detection engine may help to detect various attack scenarios including DDoS attacks, port scanning activity, brute-force attacks, worm infection and propagation, and others.

For example consider the port scanning activity: The number of unique services (i.e. port numbers) is one of the metrics analyzed by the anomaly detection engine. This number typically remains consistent during normal operation. However, in port scanning and vulnerability scanning activities it is significantly higher and alerts are generated.

Another example is that of worm propagation: Self-propagating code that spreads across a network by exploiting security flaws. In that case, there is a spike in flows traffic with no dominant destination, and usually only a dominant port. If the anomaly detection engine generates multiple alerts for the same service (i.e. “IP-service” anomalies as previously mentioned) during a specific time period, that may indicate worm propagation activity.

In general, however, Anomaly Detection is a generic tool, which may help detect even more complex and novel scenarios, like Advanced Persistent Threats (APTs), especially when combined with input from other engines like the Behavioural clustering engine.