Per Host Download-Upload Ratio Analysis
Definition
Detecting anomalies that indicate malicious activity by comparing the amount of data downloaded versus data uploaded by a host.
How it works
Aggregate pull vs. push ratios from metadata are used to develop a baseline for a given host over a specific time period, e.g., over a three-hour period, one day, one week, etc. Anomalies identified over a threshold produce an alert.
Considerations
Collection and analysis of large network packet captures requires large storage and intensive computing power. The time windows used to calculate the ratio may vary in implementations, this consideration should take into account a threat model and likely effects (impacts) delivered by an adversary.
References
The following references were used to develop the Per Host Download-Upload Ratio Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
System for detecting threats using scenario-based tracking of internal and external network traffic
MITRE Comments
Determination of anomalous data transfers is performed over a given time period. For example, a check of a pull vs. push data ratio can be established over a specific time period, e.g., over a three-hour period, over a one day period, over a one week period, etc.
The system can also establish a baseline behavior for data exchange for each host in terms of pull vs. push data ratio for each resource contacted by the host.
Network packet capture data is collected and metadata is extracted. Aggregate data push/pull information from the metadata is then analyzed for a given host versus specific client to server relationships. This technique can potentially catch lateral data transfers, and may have filtering on alerting logic to only raise alarms when external hosts receive large data transfers.