Anomaly Monitoring vs. Application/Protocol monitoring
Hi all,
Just looking for some clarification on Anomaly-based network analysis vs. Application/Protocol-based network analysis. I will provide my understanding at this point and perhaps you can scrutinize what I believe to be true so I may gain a clearer understanding:
Anomaly-based: The organization looks at what is traversing the wire for certain communications (whatever is being focused on), establishes a baseline of 'normal' for those communications, and anything outside of those baselines is flagged for review.
Application/Protocol-based: The organization does NOT establish a baseline, and the applications/protocols are of a more widely-used nature; the device doing application/protocol analysis already knows how the application and/or protocol is supposed to work.
My understanding at this point, is that Application/Protocol analysis is more of a ready-made solution that covers more widely used communications to be used by a wide variety of organizations, while the Anomaly-based analysis is more custom-fitted to the organization in question, perhaps for custom applications and other custom or tweaked communication - which is why the baseline analysis must be done at the start.
Thoughts?
Just looking for some clarification on Anomaly-based network analysis vs. Application/Protocol-based network analysis. I will provide my understanding at this point and perhaps you can scrutinize what I believe to be true so I may gain a clearer understanding:
Anomaly-based: The organization looks at what is traversing the wire for certain communications (whatever is being focused on), establishes a baseline of 'normal' for those communications, and anything outside of those baselines is flagged for review.
Application/Protocol-based: The organization does NOT establish a baseline, and the applications/protocols are of a more widely-used nature; the device doing application/protocol analysis already knows how the application and/or protocol is supposed to work.
My understanding at this point, is that Application/Protocol analysis is more of a ready-made solution that covers more widely used communications to be used by a wide variety of organizations, while the Anomaly-based analysis is more custom-fitted to the organization in question, perhaps for custom applications and other custom or tweaked communication - which is why the baseline analysis must be done at the start.
Thoughts?
Comments
-
docrice
Member Posts: 1,706 ■■■■■■■■■■
I'd say that's pretty much it. Anomaly-based would be easier to leverage in a more rigidly-controlled environment where the use of specific apps and protocols are already known and anything deviating from that baseline would be abnormal. If the network generally only uses DNS, HTTP, and HTTPS but never FTP, it'd seem odd one day for FTP to just show up on the radar.
It's a bit tricky to chase these though since sometimes when applications update, new functions are introduced (frequently undocumented by the vendor) and it'll set off alarms. That's a good thing though since you're much more aware of how these apps work.Hopefully-useful stuff I've written: http://kimiushida.com/bitsandpieces/articles/ -
JDMurray
Admin Posts: 13,078 Admin
When your network has a screwy baseline to start with then anomaly detection throws false positives left and right. Traffic doesn't follow predicable patterns based on the number of active users or the time of day, multiple network devices spontaneously alarming, unreadable encrypted communications channels mysteriously appearing, hundreds of false-positive IDS alerts, firewalls discarding packets sent to unreachable addresses, unexplained network flows over VLANs and VPNs, etc. Sometimes a network's operational baseline is an anomaly itself.