Protocol Metadata Anomaly Detection
Definition
Collecting network communication protocol metadata and identifying statistical outliers.
How it works
Network protocol metadata is first collected and processed in real-time or post-facto. Metadata may include packet header information or information about a session (ex. time between requests/responses). Metadata is then grouped based on shared characteristics and those groups are compared to each other. If particular metadata differs significantly from other data, an alert is generated, identifying the network event as anomalous. Anomalous activity may indicate unauthorized activity.
Considerations
Metadata collection on enterprises can yield large data sets. Storage, indexing, querying, and aging should be considered prior to implementation.
References
The following references were used to develop the Protocol Metadata Anomaly Detection knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Method and system for detecting threats using metadata vectors
MITRE Comments
This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. Metadata from network traffic such as packet header information or information about a session (ex. time between request/responses) is extracted. After the metadata is extracted, the data is grouped into cluster maps of matching events to track how many instances of a network communication have occurred, such as five requests sent and five responses received. Threshold limits are set on the clusters to monitor them and if a cluster grows too large (ex. ten instances of requests and responses) this can correspond to unauthorized behavior. This method might detect, for example, a network attack using malicious payloads with automated scripts, in which a bot sends replicated malicious payloads to the same destination port.
Method and system for detecting threats using passive cluster mapping
MITRE Comments
This patent describes detecting network threats by first passively collecting network traffic and storing it for processing. The stored network traffic data is used to map network events to create a cluster map. Events are network activity associated with clients, servers, or control modules such as a Kerberos Domain Controller (KDC); account information; services accessed by the client; or the number of times a service is accessed. Events that exceed a threshold from a center of gravity point of a cluster are identified as suspicious activity and an alert is generated.
System for implementing threat detection using daily network traffic community outliers
MITRE Comments
This patent describes techniques for detecting insider attacks. Network packet capture data is collected and stored for processing. Metadata is extracted for each communication session on the organization's network and includes information on source and destination host destination port, number of connection attempts, size of data exchanged, duration and time of the communication. The metadata is used to build a connectivity graph of the network and identify groups of similar hosts that exhibit similar behavior. For each group of similar behavior identified, a baseline behavior pattern profile is developed. Network activity for a host within a group that deviates over a threshold from the baseline behavior patterns is identified as suspicious and an alert is generated.