Distinguishing between legitimate and malicious traffic anomalies

When monitoring networks for traffic anomalies, it’s important to distinguish between legitimate traffic spikes and malicious attack. And when a bona fide attack is detected, it has to be surgically neutralized without blocking or limiting legitimate traffic flows. Our advanced anomaly detection technologies – Network Behavior Anomaly Detection (NBAD) and Host Behavior Anomaly Detection (HBAD) – help you do both.

Host Behavior Anomaly Detection (HBAD)

Our HBAD technology detects hosts or endpoints exhibiting symptoms of malware infection or abusive behavior. This is achieved by identifying abnormal levels of outbound connection activity, such as outgoing spam, and further categorized by matching to profiles of malicious connection patterns. Our HBAD technology accurately detects a wide range of anomalous host behavior, including:

  • Address scan
  • Port scan
  • Flow bomb (bombarding the same target IP and port with a high number of flows)
  • Mass SMTP (address scanning or flow bombs to 25/TCP)
  • Mass DNS (address scanning or flow bombs to 53/UDP)
  • Mass ICMP (including echo request, echo reply, unreachable)

Our HBAD technology pinpoints anomalous behavior in 3-5 minutes. Once detected, it sends notifications, enabling you to block outgoing traffic and route the infected host to a captive portal for clean-up. Read more on how our HBAD technology neutralizes outgoing spam and keeps you off DNS blacklists.  

Network Behavior Anomaly Detection (NBAD)

Our NBAD technology identifies DDoS and other network flooding events by the anomalies they cause in the normally time-invariant behavior of “network ratios” or combinations of Layer 3 and 4 packet rate statistics. Packet filtering rules are obtained dynamically by searching deep into the captured DDoS packets for unique repeating patterns in each event. Optimal filtering accuracy is often achieved using the patterns detected in the Layer 2 to 4 headers and payload. Our NBAD technology accurately detects a wide range of anomalous network behavior, including:

  • High packet rate
  • Small packet size or large packet size
  • Fan-in (many IPs to one IP), typical of DDoS attacks
  • Fan-out (one IP to many IPs)
  • Swarms (many IPs to many IPs)
  • DoS (one IP to one IP)
  • TCP-based incidents (SYN, FIN, ACK, RST, invalid flag combinations)
  • UDP-based incidents
  • ICMP (including echo request, echo reply, unreachable)
  • Other incidents (non-TCP, UDP or ICMP)
  • Incidents Involving fragmented, truncated or malformed packets

Our NBAD technology detects such anomalous network behavior in just 10-60 seconds. With a pattern creation time of 10-20 seconds, it notifies you and surgically mitigates network attacks in seconds. Alert notifications are provided by email, syslog and SNMP trap (v2c). Read how our NBAD technology and embedded in ServiceProtector succeeded in thwarting a coordinated DDoS attack against a national ISP provider.