1 00:00:06,850 --> 00:00:10,070 - Traditional IDS and IPS provide excellent 2 00:00:10,070 --> 00:00:13,610 application layer attack detection capabilities. 3 00:00:13,610 --> 00:00:16,390 However, they do have a weakness. 4 00:00:16,390 --> 00:00:20,000 For example, they cannot detect DDoS attacks 5 00:00:20,000 --> 00:00:22,233 where the attacker uses valid packets. 6 00:00:23,070 --> 00:00:27,230 IDS and IPS devices are optimized for signature-based, 7 00:00:27,230 --> 00:00:31,063 or rule-based application layer attack detection. 8 00:00:32,150 --> 00:00:35,010 Another weakness is that these systems utilize 9 00:00:35,010 --> 00:00:39,220 specific signatures to identify malicious patterns. 10 00:00:39,220 --> 00:00:43,220 Yet, if a new threat appears on the network before 11 00:00:43,220 --> 00:00:46,670 a signature is created to identify the traffic, 12 00:00:46,670 --> 00:00:49,760 it could lead to false negatives. 13 00:00:49,760 --> 00:00:53,130 An attack for which there is no signature is called 14 00:00:53,130 --> 00:00:54,353 a zero day attack. 15 00:00:56,210 --> 00:01:00,050 Although some IPS devices do offer anomaly-based 16 00:01:00,050 --> 00:01:04,960 capabilities, which are required to detect such attacks, 17 00:01:04,960 --> 00:01:07,700 they need extensive manual tuning and have 18 00:01:07,700 --> 00:01:10,653 a major risk of generating false positives. 19 00:01:11,620 --> 00:01:14,850 You can use more elaborate anomaly-based detection 20 00:01:14,850 --> 00:01:19,850 systems to mitigate DDoS attacks and zero day outbreaks. 21 00:01:20,230 --> 00:01:25,230 Typically an anomaly detection system monitors network 22 00:01:25,440 --> 00:01:30,030 traffic, and alerts, or reacts to, any sudden 23 00:01:30,030 --> 00:01:34,660 increase in traffic and any other abnormalities. 24 00:01:36,680 --> 00:01:41,480 You can also use NetFlow as an anomaly detection tool. 25 00:01:41,480 --> 00:01:45,030 NetFlow is a Cisco proprietary protocol that provides 26 00:01:45,030 --> 00:01:49,540 detailed reporting and monitoring of IP traffic flows 27 00:01:49,540 --> 00:01:52,670 through a network device, such as a router switch 28 00:01:52,670 --> 00:01:54,543 or a Cisco firewall. 29 00:01:56,410 --> 00:01:59,980 With anomaly-based analysis, the different practice 30 00:01:59,980 --> 00:02:02,550 keeps track of network traffic 31 00:02:02,550 --> 00:02:07,020 that diverges from the normal behavior patterns. 32 00:02:07,020 --> 00:02:11,280 This practice is called anomaly-based analysis. 33 00:02:11,280 --> 00:02:14,200 The limitation is that, what is considered to be 34 00:02:14,200 --> 00:02:16,313 normal must be defined. 35 00:02:17,330 --> 00:02:20,030 Systems and applications whose behavior can be 36 00:02:20,030 --> 00:02:22,420 easily considered as normal, could be 37 00:02:22,420 --> 00:02:25,113 classified as heuristic-based systems. 38 00:02:26,760 --> 00:02:30,480 However, sometimes it is challenging to classify a specific 39 00:02:30,480 --> 00:02:35,480 behavior as normal, or abnormal, based on different factors, 40 00:02:35,560 --> 00:02:39,870 which include, negotiated protocols and ports, 41 00:02:39,870 --> 00:02:43,240 specific application changes, changes in the 42 00:02:43,240 --> 00:02:44,823 architecture of the network. 43 00:02:45,970 --> 00:02:49,260 A variation of this type of analysis is called 44 00:02:49,260 --> 00:02:51,360 profile-based detection. 45 00:02:51,360 --> 00:02:55,620 This allows systems to orchestrate their alarms 46 00:02:55,620 --> 00:03:00,620 on alerts in the way that other systems or end users 47 00:03:02,890 --> 00:03:04,523 interrelate on the network. 48 00:03:07,530 --> 00:03:09,700 Another kind of anomaly-based detection 49 00:03:09,700 --> 00:03:11,960 is protocol-based detection. 50 00:03:11,960 --> 00:03:14,490 This scheme is related to, 51 00:03:14,490 --> 00:03:19,490 but not to be confused with, the protocol decode method. 52 00:03:20,720 --> 00:03:25,120 The protocol-based detection technique depends 53 00:03:25,120 --> 00:03:28,310 on well-defined protocols as opposed 54 00:03:28,310 --> 00:03:33,290 to protocol decode method, which classifies as an anomaly, 55 00:03:34,370 --> 00:03:37,980 any unpredicted value, or configuration 56 00:03:37,980 --> 00:03:41,330 within a field in the respective protocol. 57 00:03:41,330 --> 00:03:45,390 For example, a buffer overflow can be detected when 58 00:03:45,390 --> 00:03:47,690 specific strings are identified 59 00:03:47,690 --> 00:03:51,693 within the payload of the inspected IP packets.