Network Traffic Community Deviation
Definition
Establishing baseline communities of network hosts and identifying statistically divergent inter-community communication.
How it works
Hosts/users within a computer network are analyzed to identify communities of hosts which frequently communicate. Future communications between communities that don't usually communicate can then be detected. For example, if a community of hosts that communicate in support of a company's finance division suddenly starts to access the code server usually accessed only by engineers, this may indicate unauthorized activity.
Considerations
- Potential for false positives in very dynamic network environments.
- Attackers that move low and slow may not differentiate their behavior enough to trigger an alert.
References
The following references were used to develop the Network Traffic Community Deviation knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
System for implementing threat detection using daily network traffic community outliers
MITRE Comments
This patent describes techniques for detecting insider attacks. Network packet capture data is collected and stored for processing. Metadata is extracted for each communication session on the organization's network and includes information on source and destination host destination port, number of connection attempts, size of data exchanged, duration and time of the communication. The metadata is used to build a connectivity graph of the network and identify groups of similar hosts that exhibit similar behavior. For each group of similar behavior identified, a baseline behavior pattern profile is developed. Network activity for a host within a group that deviates over a threshold from the baseline behavior patterns is identified as suspicious and an alert is generated.