Problem Detection

Table of Contents

5.1. Behavior Based Analysis

Behavior profiling and problem detection are available only in certain editions of the product. Network behavior based anomaly detection (NBAD) is conceptually the same as profiling, anomaly detection, etc. Different vendors implement them differently. Some implementations are more capable than others. Generally, there are two kinds of these:

Category 1: Those who use heuristics to detect anomalies, then accumulate a 'badness number' or such things for hosts to determine the hosts with bad behavior. This method requires that pre-existing expert knowledge of all bad behaviors and their corresponding heuristics are available before implementing them in the behavior analysis engine. This method also uses the 'negative space' approach where the engine is looking for bad behaviors and hosts that appear to engage in them.
Category 2: The second type is where a period of profiling is used to detect the normal and acceptable behavior in a network environment. Then these behaviors are stored in a profile. Later, those hosts exhibit behaviors within the bounds of these profiles are generally considered behaving normally, while those who exhibit behaviors dissimilar to the profile are considered abnormal hosts. This is a 'positive space' approach where anything that is nor normal is now considered suspicious. Creating a profile is a crucial step in this category.

Generally speaking, category 1 requires constant updating of heuristics to detect suspicious hosts because the nature of suspicious activities change rapidly in today's enterprise environments. Category 1 also requires expert knowledge. Chances of false alarms are fewer in this approach because we are looking only for predetermined abnormalities. However, if there is no tuning of heuristics to fit the specific network traffic environment, the false alarm probability is likely to be higher.

On the contrary, Category 2 can detect problems that were never seen before. That is because the the profiling uses little a priori knowledge about problems of any kind. Instead, the profiling can establish a customized norm of traffic in the specific environment where the engine is deployed. Although the chance of a benign behavior being detected as an abnormality because it is different from the profile is non-zero, the 'positive space' approach is more likely to detect issues in a dynamic network environment.

nLive uses a select few heuristics-based detectors such as a worm detector, peer-to-peer traffic detector, etc. because these are very well established behaviors. However, for the most part, nLive uses 'positive space' approach to ensure that the problem detection fits the dynamic nature of traffic problems in today's enterprises. Additionally, nLive uses multi-dimensional machine learning technology and statistical tail-rejection mechanisms to reduce the false alarm probabilities. For instance, looking a a traffic threshold alone is likely to cause false alarms, but looking at the type of traffic along with the traffic threshold is likely to reduce the false alarms because now we can capture, for example, the fact that the higher traffic was due to a backup operation and is benign.

The methods embedded in nLive are based on several years of research and development, and ensure that the vast majority or problems are detected while false alarms are minimized in real-life scenarios in today's enterprises.


4.8. Settings		5.2. Behavior Profiling