Brian Hernacki, Architect, Symantec Research Labs
upon a time network security infrastructure consisted only
of a firewall deployed at the perimeter. This worked fairly
well when there was limited interaction between internal
and external networks, the internal users were well trusted
and the value of the network-available assets was limited.
However, in recent years things have changed considerably.
Network-aware applications and interactions between networks
have greatly increased in number. And while access is being
granted on a greater scale to these business-critical functions,
attackers and their tools have become more sophisticated.
many organizations have augmented their security infrastructures
to accommodate these changes. Using a multiplicity of tools
including virus detection systems, vulnerability assessment
scanners, encryption and intrusion detection systems (IDSs),
companies have made an effort to both detect and prevent
security threats to their networks. Early versions of these
security tools had trouble detecting certain types of threats
and were unnecessarily complex – IDSs in particular. Such
challenges rendered IDSs difficult to deploy, frustrating
to use and possible to evade.
address these shortcomings, several products now support
a technique known as anomaly detection. While it is far
from new, there has been considerable confusion over exactly
what anomaly detection is and how it works.
definition, an anomaly is something different, abnormal,
or not easily classified. The concept of anomaly detection
in computer security then is an abnormality observed in
something (i.e., a network, host, set of users, etc.) when
compared against expected behavior.
of the key differences between anomaly detection and other
forms of detection is that rather than defining what is
not allowed, it defines what is allowed.
An accurate name for such reactive detection is explicit
detection systems. Such systems work well when number of
possible bad behaviors is small and slow to change. However,
in larger systems with greater variation, these two conditions
often do not hold.
detection is a more proactive system which relies on having
some definition of allowed behavior and then noting when
observed behaviors differ. This operates well when it is
easier or more efficient to define what is allowed rather
than what is not. In these cases, the definition of what
is allowed tends to be much shorter. It also tends not to
require changes as new problems are created or discovered.
detection systems monitor networks for two primary criteria:
characteristic and statistical deviations. Characteristic
deviations are more qualitative in nature and thus often
unable to identify quantitative anomalies. While their counterpart
statistical deviations are more quantitative and less likely
to pick up on qualitative anomalies.
protocol anomaly detection (PAD) systems which are primarily
characteristic (qualitative) in nature can also use many
of the strict model system attributes to identify anomalies.
This type of design takes advantage of the fact that protocols
by nature are usually very restrictive. As such, it is possible
to construct a very strict model of what should occur and
easily note any deviations from it.
differentiates PAD systems from traditional explicit matching
systems (which are based on signatures), is the kind of
patterns used. In most cases, PAD also requires some sort
of stateful, protocol-aware matching system, without which
it can be very prone to false positives.
provides some very powerful capabilities that make it an
excellent mechanism for performing network intrusion detection.
First and foremost, because it does not require any prior
signature to detect certain classes of attacks, it provides
the ability to detect attacks before signatures are published.
This eliminates the vulnerability window that exists during
the first hours or days after an exploit is published.
addition, PAD is resistant to evasion by polymorphic attacks.
Since it does not rely on matching explicit patterns, variations
in the attack generally are caught unlike the failure that
can occur when the form of the attack changes slightly to
escape detection by signature-based systems. And since signature
updates are not needed, there is a lower administrative
is, however, a caveat to such intrusion detection technology.
Because PAD systems are not explicit, they generally provide
less specific information than comparable signature matching
systems. For example, a PAD system monitoring HTTP traffic
may report observing a questionably encoded URL; while a
signature system may report the same event by its exact
name helping security administrators know which particular
threat they are dealing with.
through various forms of classification work, a PAD system
can be structured such that once anomalies are identified,
additional work is performed to more specifically identify
the event and provide additional reference information.
provides a very powerful, scalable and maintainable intrusion
detection mechanism. It is a core technology around which
to build a detection infrastructure and provides unique
capabilities, such as detection of zero-day attacks that
are not available with other methods. While it is not a
panacea to all security needs, it does provide a valid and
effective solution to some of the more critical limitations
exhibited by current security systems.
Hernacki is an architect in the Symantec Research Labs where
he works with a dedicated team to develop future technologies.
Hernacki has more than 10 years of experience with computer
security and enterprise software development. Additionally,
Hernacki has conducted research and commercial product development
in a number of security areas including intrusion detection
and analysis techniques.