Unit-III

Network Anolamy Detection

  Anomaly Detection, additionally known as outlier detection, is a
technique in records analysis and machine studying that detects
statistics points, activities, or observations that vary drastically
What is from the dataset's ordinary behavior. These abnormalities may
sign extreme conditions which include mistakes, flaws, or fraud.
Anomaly  Anomaly Detection is critical in lots of fields, which includes
Detection? finance for detecting fraudulent transactions, manufacturing for
identifying flaws, healthcare for odd clinical conditions, and
cybersecurity for detecting protection breaches or threats. The
essential idea is to locate patterns or statistical factors that do not
observe predicted behavior
 What is Anomaly Detection?
 Recognizing odd data patterns is called anomaly detection. It discovers unexpected stuff
that doesn't fit normal trends. These irregular findings often signal major troubles. Think
mistakes, wrongdoing, or unauthorized access. Many fields rely on spotting anomalies.
Take finance detecting fraud. Also, manufacturing finds defects. And cybersecurity
uncovering breaches or harmful actions. Identifying oddities are crucial across industries.
 What is an Anomaly?
 Anomaly is the deflection from usual behaviors or patterns. In data analysis and
monitoring systems, these deviations signify potential issues. Anomalies may indicate
errors, irregular conditions, or security breaches. Detecting anomalies accurately allows
organizations to maintain proper operations by quickly identifying potential problems.
 How Does Advanced Load Balancer Help With Anomaly Detection?
 Advanced load balancers can enhance anomaly detection by incorporating several features:
 Traffic Checking: They constantly screen traffic examples and framework execution,
empowering continuous recognition of uncommon spikes or drops in rush hour gridlock that
might show expected issues or assaults.
 Versatile Burden Adjusting: They use AI calculations to adjust to changing traffic designs and
recognize abnormalities in view of deviations from anticipated conduct.
 Rate Restricting and Choking: They can naturally choke demands from dubious sources,
decreasing the effect of odd traffic and forestalling over-burdens.
 Incorporation with Security Frameworks: High level burden balancers frequently coordinate
with security data and occasion the board (SIEM) frameworks to correspond irregularity
information with other security occasions, improving by and large danger discovery.
 Traffic Examination: They break down examples and patterns continuously, assisting with
recognizing designs characteristic of irregularities, for example, DDoS assaults or strange
client conduct.
 Computerized Reactions: They can naturally change steering strategies or scale assets
because of recognized peculiarities, relieving possible effects before they heighten.
Types of Anomalies

 Anomalies broadly fit into three categories, each with its unique traits and implications:
 1. Individual Point Anomaliest: A point anomaly happens when one data point significantly differs from the
overall data distribution. This simplest anomaly type concerns only individual data points.
 Example: In the case of the credit card transaction analysis, a point anomaly may be the transaction that has
this value significantly bigger than any other average values recorded for that account and potential fraud.
 2. Contextual Anomalies (If-Then Anomalies): Contextual anomalies or conditional anomalies are the data
points that look normal on a whole but are deviated from normal only in a particular context. Such examples are
the ones encountered in time-series data or geographical data where the context (either time or location) is of
the utmost significance to conclude what is considered normal.
 Example: An 85 Fahrenheit temperature might be normal during the summer, but in the winter, it would be
considered atypical. For instance, heating the streets or offices with air conditioning in the middle of the winter
in New York could be contextually incorrect.
 3. Collective Anomalies: Consolidated anomalies mean that there is a group of data points that are of no
significance when considered individually but when the group is taken collectively then it appears as the outlier.
This incident of side-effect is usually observed in the sequential or chart pattern known in telecommunication
and healthcare monitoring systems.
 Example: In the ECG data set there might be a sequence of unusual heart beats which can be considered a total
anomaly even though each heartbeat might separately look like a normal one. Moreover, there may be
additional suspects, like experiencing a burst of sudden and steady network traffic from a particular IP address
within a short period which most likely is a denial-of-service attack.
Anomaly Detection Techniques
 Factual Techniques: Utilize measurable measures like mean, difference, and z-scores to
recognize exceptions. For instance, pieces of information past a specific number of
standard deviations from the mean are viewed as peculiarities.
 Thickness Based Techniques: Survey information thickness to recognize inconsistencies.
Strategies like DBSCAN (Thickness Based Spatial Bunching of Utilizations with
Commotion) characterize focuses in low-thickness areas as anomalies.
 Distance-Based Techniques: Measure the distance between information focuses to
distinguish irregularities. For example, the k-closest neighbors (k-NN) calculation
recognizes focuses that are a long way from their neighbors as peculiarities.
 Troupe Strategies: Consolidate various inconsistency recognition methods to further
develop precision. Models incorporate consolidating factual techniques with AI models.
 Time-Series Examination: Utilized for consecutive information, techniques like
Occasional Pattern disintegration utilizing LOESS (STL) or autoregressive models
recognize peculiarities in worldly examples.
Anomaly Detection Machine Learning Techniques
 Supervised Anomaly Detection
 To train a version for supervised anomaly detection, a dataset
classified "normal" and "anomalous" ought to be provided. This
approach considers anomaly detection as a type of trouble, with the
version studying to differentiate between ordinary and odd cases
based on facts attributes.
 Techniques and Models: Common fashions consist of decision trees,
support vector machines (SVMs), and neural networks. The desired
version is decided by using the dataset's complexity and the
relationship between regular and anomalous information factors.
 Advantages: When classified information is available, supervised
approaches can be extremely effective, generating precise fashions
that could distinguish between normal and atypical behavior.
 Limitations: The most big problem is the requirement for a well-
categorized dataset, which can be pricey or impractical to get.
Furthermore, those fashions may not generalize nicely to new
varieties of abnormalities that have been now not present in the
schooling information.
 Unsupervised Anomaly Detection
 Unsupervised anomaly detection would not need categorized statistics. Instead, it
believes that anomalies are unusual and distinguishable from the bulk of statistics points.
These techniques try to expect the distribution of normal facts and become aware of
deviations from them as anomalies.
 Techniques and Models: Common techniques and fashions consist of clustering (e.g., K-
means), density-based strategies (e.g., Local Outlier Factor), and dimensionality
reduction (e.g., PCA). Autoencoders, a form of neural community, have additionally been
used efficaciously in unsupervised environments.
 Advantages: The important benefit is that it does now not require categorized
information, making it more flexible and less difficult to use in many situations in which
labeling isn't always achievable.
 Limitations: Its performance is completely reliant on the assumption that regular and
anomalous facts are sufficiently multiple to be separated without labels. It may war with
datasets including anomalies that are not well-defined or too just like normal instances.
 Semi-supervised Anomaly Detection
 Semi-supervised anomaly detection assumes that the collection best contains classified
normal statistics. The idea is to use these statistics to build a model of normality and
discover deviations from that version as anomalies.
 Techniques and Models: One common approach is to use a model to learn a
representation of normality (e.g., a neural network trained to reconstruct normal data
points accurately) and then measure deviation from this model for anomaly detection
(e.g., using reconstruction error).
 Advantages: This method is useful whilst anomalies are unknown or too uncommon to
be correctly categorized, allowing the version to concentrate on studying normal
behavior.
 Limitations: If the model's normality illustration is simply too vast or too slender, it can
forget anomalies or become aware of too many regular examples as anomalies. The great
of the everyday samples is crucial to the achievement of this technique
 Why is Anomaly Detection Important?
 Anomaly detection is considerable for quite a few reasons throughout domain names, demonstrating its important significance
in operational performance and change management. Here are some of the primary reasons why anomaly detection is deemed
crucial:
 Early detection of issues and threats: Anomaly detection enables the early discovery of possible troubles and dangers,
frequently earlier than they cause tremendous damage. For example, in cybersecurity, identifying an abnormal sample of
community visitors may indicate a breach, allowing for proactive action to keep away from statistics robbery.
 Fraud Prevention: In finance and banking, anomaly detection is important for spotting and preventing fraudulent transactions.
By recognizing patterns that leave from a user's regular conduct, economic establishments can block fraudulent transactions,
potentially saving hundreds of thousands of dollars and protecting assets.
 Quality Control & Maintenance: Anomaly detection is used in manufacturing to regulate quality and perform predictive
maintenance. Identifying a product or component that deviates from normal specifications can help keep defective goods out of
the market. Similarly, recognizing abnormal equipment behavior helps forecast breakdowns before they occur, lowering
downtime and maintenance costs.
 Healthcare Monitoring: In healthcare, anomaly detection can aid in monitoring patients' conditions by finding anomalous
readings or patterns in vital signs that may indicate the development of a problem or deterioration of a patient's condition. This
allows for earlier action, perhaps saving lives.
 Improving the Customer Experience: Companies employ anomaly detection to track service performance and user
interactions. Identifying anomalies can assist in pinpointing flaws in the user experience, allowing for quick correction and
improvement.
 Enhanced Security: Aside from cybersecurity and fraud, anomaly detection is vital for bodily safety and surveillance, as it allows
for the actual identity of suspicious activities or behaviors, consequently enhancing safety and security features
 Anomaly Detection Use Cases

 Fraud Detection:
 Banking and Finance: Detect plausible fraudulent monetary operations via an automatic search for uncommon items like huge amounts, a foreign location of a
transaction, and a series of fast transactions.
 Insurance: Triggers red flags in cases where harm is not adequate for the reported damage or claims if several ones are reported for the same problem.
 2. Intrusion Detection (Cybersecurity):
 Network Security: Each monitor controls the traffic in the network and detects any strange event like DoS assault, phishing, or spreading malware following a
divergence from the normal traffic patterns.
 System Security: Monitors tracking system operations, and alerts when there are uniform characteristics relating to malicious or irregular activities, like
unauthorized access or abnormal access patterns.
 3. Health Monitoring:
 Patient Health Monitoring: Pick up deviations in heart rate and blood pressure signs, among other vitals, and report the same to the caregiver as wearable
technology.
 Industrial Machine Monitoring: Spots signals or patterns that can indicate a machine failing, allowing for suitable maintenance to be carried out to avoid
disruption and save on the sub-sequential repair costs.
 4. Industrial Anomaly Detection
 Manufacturing Processes: Continuously monitors product lines to remove defective or out-of-standard ones and prevents product demand.
 Oil and Gas: Keeps track of infrastructure and machinery to proactively detect any occurrence of failures or safety concerns using data collected via sensors.
 5. IT Operations
 Performance Issues: The system detects misbehavior of system performance, for example, this is something like the moment when the speed of the
computation drops suddenly that foretells oncoming system failure.
 Resource Utilization: Entry of the data related to the usage of system resources i.e. CPU and memories in place to highlight the irregular patterns that may
point out the anomalies or waste of resources.
 Anomaly Detection Use Cases

 The tool of anomaly detection is capable of ensuring successful function across various industries and applications with the main feature being the search for irregular
patterns that deviate from normal. These are some of the primary use cases:

 1. Fraud Detection:

 Banking and Finance: Detect plausible fraudulent monetary operations via an automatic search for uncommon items like huge amounts, a foreign location of a
transaction, and a series of fast transactions.

 Insurance: Triggers red flags in cases where harm is not adequate for the reported damage or claims if several ones are reported for the same problem.

 2. Intrusion Detection (Cybersecurity):

 Network Security: Each monitor controls the traffic in the network and detects any strange event like DoS assault, phishing, or spreading malware following a
divergence from the normal traffic patterns.

 System Security: Monitors tracking system operations, and alerts when there are uniform characteristics relating to malicious or irregular activities, like unauthorized
access or abnormal access patterns.

 3. Health Monitoring:

 Patient Health Monitoring: Pick up deviations in heart rate and blood pressure signs, among other vitals, and report the same to the caregiver as wearable
technology.

 Industrial Machine Monitoring: Spots signals or patterns that can indicate a machine failing, allowing for suitable maintenance to be carried out to avoid disruption
and save on the sub-sequential repair costs.

 4. Industrial Anomaly Detection

 Manufacturing Processes: Continuously monitors product lines to remove defective or out-of-standard ones and prevents product demand.

 Oil and Gas: Keeps track of infrastructure and machinery to proactively detect any occurrence of failures or safety concerns using data collected via sensors.

 5. IT Operations

 Performance Issues: The system detects misbehavior of system performance, for example, this is something like the moment when the speed of the computation
drops suddenly that foretells oncoming system failure.

 Resource Utilization: Entry of the data related to the usage of system resources i.e. CPU and memories in place to highlight the irregular patterns that may point out
the anomalies or waste of resources.
 Why is Anomaly Detection Important?
 Anomaly detection is considerable for quite a few reasons
throughout domain names, demonstrating its important
significance in operational performance and change management.
Here are some of the primary reasons why anomaly detection is
deemed crucial:
 Early detection of issues and threats: Anomaly detection
enables the early discovery of possible troubles and dangers,
frequently earlier than they cause tremendous damage
 Fraud Prevention: In finance and banking, anomaly detection is
important for spotting and preventing fraudulent transactions. By
recognizing patterns that leave from a user's regular conduct,
economic establishments can block fraudulent transactions,
potentially saving hundreds of thousands of dollars and protecting
assets.
 Quality Control & Maintenance: Anomaly detection is used in
manufacturing to regulate quality and perform predictive
maintenance. Identifying a product or component that deviates
from normal specifications can help keep defective goods out of
the market
 Healthcare Monitoring: In healthcare, anomaly detection can aid
in monitoring patients' conditions by finding anomalous readings
or patterns in vital signs that may indicate the development of a
problem or deterioration of a patient's condition. This allows for
earlier action, perhaps saving lives.
 Improving the Customer Experience: Companies employ
anomaly detection to track service performance and user
interactions. Identifying anomalies can assist in pinpointing flaws
in the user experience, allowing for quick correction and
improvement.
 Enhanced Security: Aside from cybersecurity and fraud, anomaly
detection is vital for bodily safety and surveillance, as it allows for
the actual identity of suspicious activities or behaviors,
consequently enhancing safety and security features.
 IT Operations
 Performance Issues: The system detects misbehavior of system
performance, for example, this is something like the moment when
the speed of the computation drops suddenly that foretells oncoming
system failure.
 Resource Utilization: Entry of the data related to the usage of system
resources i.e. CPU and memories in place to highlight the irregular
patterns that may point out the anomalies or waste of resources.
 Anomaly detection is a method used to recognize surprising examples
or exceptions in information that digress essentially from the
standard. It assumes a basic part in different fields, including
misrepresentation recognition, network security, and quality control.
By dissecting information for deviations from laid out designs,
peculiarity location frameworks can signal likely issues or dangers that
might require further examination. Powerful irregularity recognition
helps in keeping up with framework trustworthiness, improving safety
efforts, and guaranteeing functional productivity. It influences
measurable, AI, and computational strategies to perceive these
anomalies, giving important bits of knowledge and alarms
continuously.
 Conclusion
 Anomaly detection is a method used to recognize surprising
examples or exceptions in information that digress essentially
from the standard. It assumes a basic part in different fields,
including misrepresentation recognition, network security, and
quality control. By dissecting information for deviations from laid
out designs, peculiarity location frameworks can signal likely
issues or dangers that might require further examination.
Powerful irregularity recognition helps in keeping up with
framework trustworthiness, improving safety efforts, and
guaranteeing functional productivity. It influences measurable, AI,
and computational strategies to perceive these anomalies, giving
important bits of knowledge and alarms continuously.
  Many people rely on the Internet for many of their professional,
Basic Network social and personal activities. But there are also people who
attempt to damage our Internet-connected computers, violate our
Attacks in privacy and render inoperable the Internet services.
Computer  Given the frequency and variety of existing attacks as well as the
threat of new and more destructive future attacks, network
Network security has become a central topic in the field of computer
networking.
  Malware – short for malicious software which is specifically designed
to disrupt, damage, or gain authorized access to a computer system.
Much of the malware out there today is self-replicating: once it infects
How are one host, from that host it seeks entry into other hosts over the
Internet, and from the newly infected hosts, it seeks entry into yet
computer more hosts. In this manner, self-replicating malware can spread
exponentially fast.
networks  Virus – A malware which requires some form of user’s interaction to
infect the user’s device. The classic example is an e-mail attachment
vulnerable? containing malicious executable code. If a user receives and opens
such an attachment, the user inadvertently runs the malware on the
What are some device.
of the more  Worm – A malware which can enter a device without any explicit user
interaction. For example, a user may be running a vulnerable network
prevalent types application to which an attacker can send malware. In some cases,
without any user intervention, the application may accept the
malware from the Internet and run it, creating a worm.
of attacks  Botnet – A network of private computers infected with malicious
today? software and controlled as a group without the owners’ knowledge,
e.g. to send spam.
 DoS (Denial of Service) – A DoS attack renders a network, host, or other pieces of infrastructure unusable by legitimate users. Most
Internet DoS attacks fall into one of three categories :

 • Vulnerability attack: This involves sending a few well-crafted messages to a vulnerable application or operating system running on a
targeted host. If the right sequence of packets is sent to a vulnerable application or operating system, the service can stop or, worse,
the host can crash.

 • Bandwidth flooding: The attacker sends a deluge of packets to the targeted host—so many packets that the target’s access link
becomes clogged, preventing legitimate packets from reaching the server.

 • Connection flooding: The attacker establishes a large number of half-open or fully open TCP connections at the target host. The
host can become so bogged down with these bogus connections that it stops accepting legitimate connections.

 DDoS (Distributed DoS) – DDoS is a type of DOS attack where multiple compromised systems, are used to target a single system
causing a Denial of Service (DoS) attack. DDoS attacks leveraging botnets with thousands of comprised hosts are a common
occurrence today. DDoS attacks are much harder to detect and defend against than a DoS attack from a single host.

 Packet sniffer – A passive receiver that records a copy of every packet that flies by is called a packet sniffer. By placing a passive
receiver in the vicinity of the wireless transmitter, that receiver can obtain a copy of every packet that is transmitted! These packets
can contain all kinds of sensitive information, including passwords, social security numbers, trade secrets, and private personal
messages. some of the best defenses against packet sniffing involve cryptography.

 IP Spoofing – The ability to inject packets into the Internet with a false source address is known as IP spoofing, and is but one of many
ways in which one user can masquerade as another user. To solve this problem, we will need end-point authentication, that is, a
mechanism that will allow us to determine with certainty if a message originates from where we think it does.
 Man-in-the-Middle Attack – As the name indicates, a man-in-the-middle attack
occurs when someone between you and the person with whom you are
communicating is actively monitoring, capturing, and controlling your
communication transparently. For example, the attacker can re-route a data
exchange. When computers are communicating at low levels of the network layer,
the computers might not be able to determine with whom they are exchanging
data.
 Compromised-Key Attack – A key is a secret code or number necessary to
interpret secured information. Although obtaining a key is a difficult and resource-
intensive process for an attacker, it is possible. After an attacker obtains a key, that
key is referred to as a compromised key. An attacker uses the compromised key to
gain access to a secured communication without the sender or receiver being
aware of the attack.
 Phishing – The fraudulent practice of sending emails purporting to be from
reputable companies in order to induce individuals to reveal personal information,
such as passwords and credit card numbers.
 DNS spoofing – Also referred to as DNS cache poisoning, is a form of computer
security hacking in which corrupt Domain Name System data is introduced into the
DNS resolver’s cache, causing the name server to return an incorrect IP address.
 Rootkit – Rootkits are stealthy packages designed to benefit administrative rights
and get the right of entry to a community tool. Once installed, hackers have
complete and unrestricted get right of entry to the tool and can, therefore, execute
any movement including spying on customers or stealing exclusive data with no
hindrance.
  A Network of compromised computers is called a botnet.
Compromised computers are also called Zombies or Bots. This
Botnets software is mostly written in C++ & C. The main motive of botnet is
that it starts with the dark side of the internet which introduced a
new kind of Crime called Cybercrime.
  Botnet Communication
 At first, those who want to be botmaster finds the target system
(here target system means finding the vulnerable system), then
use popular social engineering techniques like phishing, click
fraud, etc to install a small (Kbs) executable file into it. A small
patch has been included in the code, making it not visible even
with the running background process. A naive user won’t even
Botnet come to know that his/her system became part of a bot army.
Communication After infection, the bot looks for the channel through which it can
communicate with its master. Mostly Channel (command and
Control channel) uses the existing protocol to request the
command and receive updates from the master, so if anyone tries
to look at the traffic behavior then it will be quite difficult to figure
it out. Botmaster is used to write scripts to run an executable file
on different OS.
 The following are the major things that can be performed on bots:
 Web-Injection: Botmaster can inject snippets of code to any
secured website that which bot used to visit.
 Web filters: Here on use a special symbol like:”!” for bypassing a
specific domain, and “@” for the screenshot used.
 Web-fakes: Redirection of the webpage can be done here.
 DnsMAP: Assign any IP to any domain which the master wants to
route to the bot family.
  Internet Relay Chat (IRC) Botnet
 Internet Relay Chat (IRC) acts as the C&C Channel. Bots receive
commands from a centralized IRC server. A command is in the form of
a normal chat message. The limitation of the Internet Relay Chat(IRC)
Botnet is that the Entire botnet can be collapsed by simply shutting
down the IRC Server.
 Peer-to-Peer (P2P) Botnet
Types of  It is formed using the P2P protocols and a decentralized network of
nodes. Very difficult to shut down due to its decentralized structure.
Botnet Each P2P bot can act both as the client and the server. The bots
frequently communicate with each other and send “keep alive”
messages. The limitation of Peer-to-Peer Botnets is that it has a
higher latency for data transmission.
 Hyper Text Transfer Protocol (HTTP) Botnet
 Centralized structure, using HTTP protocol to hide their activities.
Bots use specific URLs or IP addresses to connect to the C&C Server,
at regular intervals. Unlike IRC bots, HTTP bots periodically visit the
C&C server to get updates or new commands.
  The working of the Botnet can be defined as either you writing
code to build software or using it from the available (Leaked)
How Does it botnet like ZEUS Botnet(king of all botnet), Mirai botnet,
Work? BASHLITE, etc. then finding the vulnerable system where you can
install this software through some means like social engineering
(e.g Phishing) soon that system becomes a part of a bot army.
Those who control it are called the botmaster which
communicates its bot army using a command and control channel.
  Phishing: Botnets help in distributing malware and suspicious
activities via Phishing emails. These include a multiple number of
bots and the whole process is automated and it is difficult to shut
down.
 Distributed Denial-of-Service(DDoS) Attack: DDoS Attack is a type
of attack performed by the Botnets in which multiple requests are
sent that leads to the crash of a particular application or server.
Types of DDoS Attacks by Network Layer use SYN Floods, UDP Floods, etc
to grasp the target’s bandwidth and let them protect from being
Botnet Attacks attacked.
 Spambots: Spambots are a type of Botnet Attack, where they take
emails from websites, guestbooks, or anywhere an email id is
required to log in. This section covers more than 80 percent of
spam.
 Targeted Intrusion: This is one of the most dangerous attacks as
they attack the most valuable thing or data, valuable property,
etc.
  The most important way to protect from Botnets is to give
training to users about identifying suspicious links.

How to  Keep the system software always updated to become safe from
the Botnets.
Protect  Using two-factor authentication is a way to be safe from the
Against Botnet.
 There are several antiviruses present in the market which keeps
Botnets? you protected from Botnets.
 Try to change passwords on a regular basis for better protection
from Botnets.
Botnet
Lifecycle