Scribd
Upload
155 views46 pages

Network Behavioral Anomaly Detection (NBAD)

This document provides an overview and training on Network Behavioral Anomaly Detection (NBAD). It discusses how NBAD distinguishes legitimate traffic surges from actual network attacks based on analyzing network ratios. The agenda covers NBAD overviews, activity tables, event reports, pattern details, graphs and examples. Event reports provide flood summaries, statistics, charts and packet captures. Pattern details break down consistent elements in headers/payloads and source/target ratios. Examples demonstrate analyzing real events, including suspected DDoS attacks and scanning profiles.

Uploaded by

Ramil Bektimirov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
155 views46 pages

Network Behavioral Anomaly Detection (NBAD)

This document provides an overview and training on Network Behavioral Anomaly Detection (NBAD). It discusses how NBAD distinguishes legitimate traffic surges from actual network attacks based on analyzing network ratios. The agenda covers NBAD overviews, activity tables, event reports, pattern details, graphs and examples. Event reports provide flood summaries, statistics, charts and packet captures. Pattern details break down consistent elements in headers/payloads and source/target ratios. Examples demonstrate analyzing real events, including suspected DDoS attacks and scanning profiles.

Uploaded by

Ramil Bektimirov
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 46

Service Protector Operators Training

Network Behavioral Anomaly Detection


(NBAD)
Agenda

 NBAD Overview
 Activity Table
 Event Report
 Pattern Details
 Other Graphs
 Examples

2
NBAD Events

 Attacks targeting your


network
 DDoS Attacks: Multiple
hosts attack a single target
within your network

 Scanning Activity: A single


host connects to multiple
hosts

3
Network Behavioral Anomaly Detection

NBAD distinguishes between


legitimate traffic surges
Based on network (affecting volume but not ratios)
ratios which have and actual network attacks
minimal variance
when traffic is
behaving normally  Model of expected
behavior is built
 Flood detected when
actual behavior
deviates from this
model
 Pattern captures
Time (S)
taken each 3 minutes
Expected behavior (based on model)
Actual behavior
Sample patterns

4
NBAD Anomaly Types

Type Description

ack TCP ack without data flood


ack-data TCP ack with data flood
fin TCP fin flood
frag Fragmented Packet Flood
icmp ICMP flood
ping Ping (ICMP echo request) flood
pong Pong (ICMP echo reply) flood
rst TCP rst flood
syn TCP syn flood
tcp-inval Invalid tcp flood
udp Outgoing UDP flood
unr UNR (ICMP destination unreachable) flood

5
Other Other (not TCP, UDP or ICMP) flood
April 22, 2023
Email Notifications

6
Agenda

 NBAD Overview
 Activity Table
 Event Report
 Pattern Details
 Other Graphs
 Examples

7
NBAD/Flood Activity

Line indicates
Outgoing size of
UDP Flood parameter

Shape Severity D: DDoS Attack Profile


Event ID
(0-4)
S: Scanning Profile
B: Bogon Space Detected
M: Malformed Packet Detected

8
NBAD/Flood Activity:
Filtering the Information Displayed

9
Agenda

 NBAD Overview
 Activity Table
 Event Report
 Pattern Details
 Other Graphs
 Examples

10
Event Report

11
Event Report:
Flood Summary

Example #1
 A strong outgoing unr flood
 Lasted for 43mins – now ended
 Malformed Packets with 5 flood
patterns for analysis

Example #2
 A strong incoming TCP SYN flood
 Still active after 24mins
 DDoS attack with 5 different flood
patterns for analysis

12
Event Report:
Statistics

Example #1
 High volume of traffic deviates
from the expected behavior
model

Example #2
 Relatively low volume of
traffic deviates from the
expected behavior model

13
Event Report:
Charts

Example #1
 Deviation of observed outgoing
unr traffic from expected model
 Ratio of TX UNR to RX (IPv4)

Example #2
 Deviation of observed
incoming TCP syn packet
rate from expected model
 Ratio of is “incoming TCP
syn” to “outgoing tcp fin”

14
Event Report:
Patterns

Number of
consistent bytes in
header / payload

Source Hosts : Target Hosts

SRC IP : SRC PORT > DEST IP : DEST PORT PROT SIG LENGTH

X.X.X.X : 1234 > 65.56.151.10 : 80 tcp 89

15
Event Report:
Packet Captures

Number of
packets

Deviation from
expected behavior Download
Capture

 Packet samples are taken every 3 minutes


 SP stops taking samples if flood ends or if 60
minutes passes – whichever happens first
16
Agenda

 NBAD Overview
 Activity Table
 Event Report
 Pattern Details
 Other Graphs
 Examples

17
Pattern

 Flood Summary
 Pattern Summary
 Filter Rule
 Full Pattern
 Pattern Chart
 Packet Captures
 Top TX Hosts
 Top RX Hosts

18
Pattern Summary

 Has pattern appeared


before?
 How many consistent
bytes appear?
 What is the ratio of
source to destination?

 29 consistent bytes in the header


 20 source hosts sending packets to 2 dest hosts
 Appears to be a DDoS attack with malformed packets

19
Filter Rule

 For NBAD mitigation


 Conversion to other popular signatures
 Drop down options

20
Full Pattern

 BLUE Items: Consistent throughout the pattern


 PINK Items: Vary throughout the pattern

21
Pattern Chart

 Pattern (pink) overlaying entire traffic (green)


 Consistent pink section indicates higher accuracy
22
Other Details

Top transmitting
Hosts (up to 20)

Top receiving Hosts

23
Packet Captures

 Analyze Flow

 Analyze Host

24
Packet Captures

 Ethereal

25
Agenda

 NBAD Overview
 Activity Table
 Event Report
 Pattern Details
 Other Graphs
 Examples

26
NBAD Trends

Flood distribution over last 24 hours


(Colors represent groups + flood types)

27
NBAD Distribution: Duration

28
NBAD Distribution: Bit Rate

29
NBAD Top Sources

30
NBAD Top Targets

31
Agenda

 NBAD Overview
 Activity Table
 Event Report
 Pattern Details
 Other Graphs
 Examples

32
Example #1: Event 529

 Initial rough impression suggests strong DDoS Attack


 Zoom into Flood Event 529 for more details

33
1) Attack Under Way

34
2) More Events Added To Flood

35
3) Attack Has Ceased

36
Full Pattern

 Common MAC Source IP: single point of entry into network


 Single Destination Address and Port & common Source port

37
Pattern Chart

 Some noise experienced (green areas)


 Very low packet rate indeed

38
Many TX Hosts – 1 RX Host
Conclusion: Classic DDoS Attack

Many TX
Hosts

Single RX
Host

39
Example #2: Event 540

40
Event Report

41
Pattern 2672

 Constant source MAC address & Source IP address


 Constant destination port - 445
 Small payload

42
1 TX Host – Many RX Hosts
Conclusion: Classic Scan Profile
Single TX
Host

Many RX
Hosts

43
Review Question

Were there any suspected DDoS attacks on the Silver Group over
the displayed time period?

?
Flood ID: 99913

44
Review Question

What elements of the attack below are COMMON in the


attack pattern?

Source Address: ? Dest. Address: ?


Source Port: ? Dest.Port: ?
45
Exercise

Hands on practice
detecting NBAD events

46

You might also like