network behavior anomaly detection
{{Short description|Approach to network security}}
{{more citations needed|date=August 2013}}
Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.{{Cite web |last=Hein |first=Daniel |date=2019-05-15 |title=Network Behavior Analysis and Anomaly Detection: The Basics |url=https://solutionsreview.com/network-monitoring/network-behavior-analysis-and-anomaly-detection-the-basics/ |access-date=2022-06-27 |website=Best Network Monitoring Vendors, Software, Tools and Performance Solutions |language=en-US}}
NBAD is the continuous monitoring of a network for unusual events or trends. NBAD is an integral part of network behavior analysis (NBA), which offers security in addition to that provided by traditional anti-threat applications such as firewalls, intrusion detection systems, antivirus software and spyware-detection software.
Description
Most security monitoring systems utilize a signature-based approach to detect threats. They generally monitor packets on the network and look for patterns in the packets which match their database of signatures representing pre-identified known security threats. NBAD-based systems are particularly helpful in detecting security threat vectors in two instances where signature-based systems cannot: (i) new zero-day attacks, and (ii) when the threat traffic is encrypted such as the command and control channel for certain Botnets.
An NBAD program tracks critical network characteristics in real time and generates an alarm if a strange event or trend is detected that could indicate the presence of a threat. Large-scale examples of such characteristics include traffic volume, bandwidth use and protocol use.
NBAD solutions can also monitor the behavior of individual network subscribers. In order for NBAD to be optimally effective, a baseline of normal network or user behavior must be established over a period of time. Once certain parameters have been defined as normal, any departure from one or more of them is flagged as anomalous.
NBAD technology/techniques are applied in a number of network and security monitoring domains including: (i) Log analysis (ii) Packet inspection systems (iii) Flow monitoring systems and (iv) Route analytics.
NBAD has also been described as outlier detection, novelty detection, deviation detection and exception mining.{{Cite journal |last=Ahmed |first=Mohiuddin |date=2016 |title=A survey of network anomaly detection techniques |url=https://daneshyari.com/article/preview/457163.pdf |journal=Journal of Network and Computer Applications |volume=60 |pages=19–31 |doi=10.1016/j.jnca.2015.11.016 |via=Elsevier}}
Popular threat detections within NBAD
Commercial products
- Palo Alto Networks – Cortex XDR{{Cite web |last= |first= |date=2021-08-24 |title=Palo Alto Networks Cortex XDR 3.0 automates threat detection and investigation across cloud environments |url=https://www.helpnetsecurity.com/2021/08/24/palo-alto-networks-cortex-xdr-3-0/ |access-date=2022-08-12 |website=Help Net Security |language=en-US}}
- Darktrace{{Cite web |last=Daws |first=Ryan |date=2022-03-10 |title=Darktrace adds 70 ML models to its AI cybersecurity platform |url=https://www.artificialintelligence-news.com/2022/03/10/darktrace-adds-70-ml-models-ai-cybersecurity-platform/ |access-date=2022-08-12 |website=AI News |language=en-GB}} - AI Enterprise Immune System | Antigena Autonomous Response
- Allot Communications{{cite web|url=https://www.allot.com/products/security/serviceprotector/|title=DDoS Security & Protection Software: Secure Your Network|publisher=}} – Allot Communications DDoS Protection
- Arbor Networks NSI{{cite web|url=http://www.arbornetworks.com/products/pravail/nsi|title=Arbor DDoS Solutions – NETSCOUT|website=NETSCOUT}} – Arbor Network Security Intelligence
- Cisco – Stealthwatch{{Cite web |date=2019-01-23 |title=How to block online threats and ransomware attacks with Cisco Stealthwatch |url=https://business-review.eu/partner-content/how-to-block-online-threats-and-ransomware-attacks-with-cisco-stealthwatch-195307 |access-date=2022-08-24 |website=Business Review |language=ro}} (formerly Lancope StealthWatch)
- IBM – QRadar (since 2003)
- Enterasys Networks – Enterasys Dragon{{Cite news |last=Heath |first=Thomas |date=2012-09-23 |title=Tenable enters partnership with In-Q-Tel |language=en-US |newspaper=Washington Post |url=https://www.washingtonpost.com/business/capitalbusiness/tenable-enters-partnership-with-in-q-tel/2012/09/23/50e82e64-01a9-11e2-b257-e1c2b3548a4a_story.html |access-date=2022-09-13 |issn=0190-8286}}
- Exinda – Inbuilt (Application Performance Score (APS), Application Performance Metric (APM), SLA, and Adaptive Response)
- ExtraHop Networks - Reveal(x){{Cite web |last= |first= |date=2022-03-24 |title=ExtraHop Reveal(x) 360 for AWS detects malicious activity across workloads |url=https://www.helpnetsecurity.com/2022/03/24/extrahop-revealx-360-aws/ |access-date=2022-08-18 |website=Help Net Security |language=en-US}}
- Flowmon Networks{{Cite web|url=https://www.flowmon.com/en/products/flowmon/anomaly-detection-system|title = Flowmon ADS – Kyberbezpečnostní nástroj pro detekci nežádoucích anomálií}} – Flowmon ADS
- FlowNBA – NetFlow
- Juniper Networks – STRM
- Lastline{{Cite web |last=Whittaker |first=Zack |date=2020-06-04 |title=VMware acquires network security firm Lastline, said to lay off 40% of staff |url=https://techcrunch.com/2020/06/04/vmware-lastline-staff-cuts/ |access-date=2022-10-11 |website=TechCrunch |language=en-US}}
- McAfee – McAfee Network Threat Behavior Analysis
- HP ProCurve – Network Immunity Manager
- Riverbed Technology – Riverbed Cascade{{Cite news |last=Overly |first=Steven |date=2012-10-29 |title=Opnet Technologies to be bought for $1B |url=https://www.washingtonpost.com/blogs/capital-business/post/opnet-technologies-to-be-bought-for-1b/2012/10/29/0c6a3ef0-21d7-11e2-8448-81b1ce7d6978_blog.html |access-date=2022-08-18 |newspaper=Washington Post |language=en-US}}
- Sourcefire – Sourcefire 3D{{Cite web |last=Snyder |first=Joel |date=2008-01-21 |title=How we tested Sourcefire's 3D System |url=https://www.networkworld.com/article/2282089/how-we-tested-sourcefire-s-3d-system.html |access-date=2022-09-13 |website=Network World |language=en}}
- Symantec – Symantec Advanced Threat Protection{{Cite web |last=Ot |first=Anina |date=2022-03-25 |title=How Endpoint Protection is Used by Finastra, Motortech, Bladex, Spicerhaart, and Connecticut Water: Case Studies |url=https://www.enterprisestorageforum.com/software/endpoint-protection-use-cases/ |access-date=2022-10-06 |website=Enterprise Storage Forum |language=en-US}}
- GREYCORTEX – Mendel{{Cite web|url=http://www.greycortex.com/|title=GreyCortex {{!}} Advanced Network Traffic Analysis|website=www.greycortex.com|access-date=2016-06-29}} (formerly TrustPort Threat Intelligence)
- Vectra AI{{Cite web |last=Hageman |first=Mitchell |date=2022-09-05 |title=Vectra AI attributes significant growth to expansion and new innovations |url=https://itbrief.com.au/story/vectra-ai-attributes-significant-growth-to-expansion-and-new-innovations |access-date=2022-09-20 |website=IT Brief Australia |language=en}}
- ZOHO Corporation – ManageEngine NetFlow Analyzer's Advanced Security Analytics Module{{Cite web |title=NetFlow Traffic Analyzer {{!}} Real-Time NetFlow Analysis - ManageEngine NetFlow Analyzer |url=https://www.manageengine.com/products/netflow/ |access-date=2022-09-20 |website=www.manageengine.com}}
- Microsoft Corp – Windows Defender ATP and Advanced Threat Analytics
- Vehere - PacketWorker Network Detection and Response {{Cite web|last=Goled|first=Shraddha|date=2021-04-03|title=Hackers Are Having A Field Day Post Pandemic: Praveen Jaiswal, Vehere|url=https://analyticsindiamag.com/hackers-are-having-a-field-day-post-pandemic-praveen-jaiswal-vehere/|access-date=2021-05-17|website=Analytics India Magazine|language=en-US}}