Anomaly-based intrusion detection and mitigation is an enhanced solution that combats DoS and DDoS attacks as previously discussed.
Anomaly detection solutions provide intelligence-based intrusion prevention by monitoring system activity and categorizing the traffic as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures.
Anomaly detection systems are initially in learning mode so that they can characterize normal activity and establish a baseline for normal traffic. Anomaly detection involves defining or learning normal activity and looking for deviations from various baseline profiles. Examples include the following:
Protocol anomaly: Involves looking for deviations from a standard protocol and is useful for identifying deviations from normal protocol behavior.
Network anomaly: Involves watching or learning the normal traffic levels—for example, using a time-based classification of normal traffic activity. If deviation from normal traffic activity is detected, an alarm is generated. This technique is prone to false alarms but can be combined with other techniques to improve accuracy.
Behavioral anomaly: Involves learning normal user behavior and detecting the relational traffic pattern activities of individual hosts or a group of hosts. If a change occurs, an alarm is generated. This technique is most useful in a very tightly controlled environment because behavior changes occur frequently in a network.
After these baselines are established, anomaly detection compares all traffic with the baseline profile, and any deviation from the profile is considered as potential attack traffic.
On many occasions and with increasing frequency, legitimate traffic is integrated with the attack traffic. Therefore, traffic patterns must be closely examined in near real-time so that the valid traffic can still be passed without interruption. Attack traffic can then be diverted to a mitigation device where scrubbing is performed to eliminate bad traffic and allow legitimate traffic to flow seamlessly.
Anomaly detection and mitigation algorithms can detect all kinds of attacks, including day-zero attacks. This is different from signature-based systems, which can only detect attacks for which a static signature has been defined.
An anomaly detection technique has the following characteristics:
Is signatureless; it does not require use of patterns or signatures.
Is granular, based on observed traffic pattern behavior.
Can perform relational- and behavioral-based anomaly detection.
Detects in real-time; anything reported is actually happening.
Supports dynamic filtering.
Includes sophisticated antispoofing techniques.
Can detect day-zero and minute-zero attacks.
Can highlight behaviors that are not indicative of attack traffic, but are still of interest.
Includes traffic diversion architecture allowing flexibility in topological placement.