Distinguishing between legitimate and malicious traffic anomalies
When monitoring networks for traffic anomalies, it’s important to distinguish between legitimate traffic spikes and malicious attack. And when a bona fide attack is detected, it has to be surgically neutralized without blocking or limiting legitimate traffic flows. Our advanced anomaly detection technologies – Network Behavior Anomaly Detection (NBAD) and Host Behavior Anomaly Detection (HBAD) – help you do both.
Host Behavior Anomaly Detection (HBAD)
Our HBAD technology detects hosts or endpoints exhibiting symptoms of malware infection or abusive behavior. This is achieved by identifying abnormal levels of outbound connection activity, such as outgoing spam, and further categorized by matching to profiles of malicious connection patterns. Our HBAD technology accurately detects a wide range of anomalous host behavior, including:
- Address scan
- Port scan
- Flow bomb (bombarding the same target IP and port with a high number of flows)
- Mass SMTP (address scanning or flow bombs to 25/TCP)
- Mass DNS (address scanning or flow bombs to 53/UDP)
- Mass ICMP (including echo request, echo reply, unreachable)
Our HBAD technology pinpoints anomalous behavior in 3-5 minutes. Once detected, it sends notifications, enabling you to block outgoing traffic and route the infected host to a captive portal for clean-up. Read more on how our HBAD technology neutralizes outgoing spam and keeps you off DNS blacklists.