Thursday, July 24, 2008

Anomaly detection

One of the major issues we face when dealing with compromises is detection. Detection of a compromise typically happens well after the incident. Often it takes weeks or months. Many organizations rely on IDS, log analysis, netflows or some other form of traditional monitoring. These are all well established and do a pretty good job. One other technology that exists is anomaly detection or Network Behavior Anomaly Detection (NBAD).

Anomaly: something that deviates from what is standard, normal, or expected : there are a number of anomalies in the present system | a legal anomaly | [with clause ] the apparent anomaly that those who produced the wealth were the poorest | the position abounds in anomaly.

What's interesting about NBAD? Consider this. If you believe that humans are creatures of habit (which we are), and computers are deterministic (this can be debated), then with rudimentary logic, we can claim that computers are therefore extensions of the creatures of habit. That said, a computer will then follow patterns of predictability, which is to say that when a user comes in in the morning, they fire up their email program, their web browser, and perhaps office applications and various other programs and the computer will respond accordingly. Ok great, we've got something to baseline behavior against. Another way to look at this is behavioral profiling of users and systems. But wait! We don't just baseline a single user and a single system. We baseline networks, which are made of computers and devices being operated by people, who are creatures of habit. So now we have a network that becomes a creature of habit. Or does it? The answer is yes, a network is a nebulous creature of habit, and the answer is no. A change in behavior would be defined as an anomaly if that behavior is outside the expected, normal or standard. Let's take a look at this.

Your webserver will exhibit dramatic changes in behavior when your site launches a new product or ad campaign or you get slashdotted. These are behavioral anomalies. But these are not bad. These events require tuning of the NBAD so you stop getting alerts. So, just what would we be concerned with? Your webserver should be serving web pages and that's just about it. If your web server starts initiating outbound connections, or starts serving FTP or SSH traffic out or communicating via IRC when it hasn't previously done so, that's a sign of badness. What if the system has previously served FTP and SSH traffic, what would be the anomaly? How about who it's communicating with and how much? If your system never communicates with hosts in say..china, and it all of a sudden starts to, that's a behavior to investigate. The same can be expanded to the network as a whole. For instance, if there is no IRC traffic for weeks and all of a sudden it appears, that's a behavior to look at. There's a lot more to discuss here and I won't try to cram it all in one post, but let's look at the downsides of NBAD.

1) Baselines are tough. Creating a baseline for users and individual systems is pretty easy. Creating a baseline for a network is tough. Why? Baselines assume the network you are looking at is 100% clean. If you create a baseline with some form of badness on the network, your baseline is invalidated before you create it.

2) Behavior changes. If human emotion conflicts with rational thinking you often get behavioral changes in people which may lead to changes in behavior of the system they use. If you get a new project, your network behavior changes. If someone gets fired, the behavior of the system and network will change. This leads to constant readjustment of the baseline.

There's much more to discuss about this including: policy based anomaly detection, thresholding, and how to put all of these things together to effectively use NBAD to assist in incident detection and identification.

NBAD in my opinion at this point is similar to a kid with a metal detector that goes to the beach. They always expect to get coins and gold, but usually end up with bottle caps. Time will tell how this type of detection mechanism plays out. If you have thoughts on this, feel free to share.