Network Behavior Analysis - Components and Architecture

Version 1

    A network behavior analysis (NBA) system examines network traffic or statistics on
    network traffic to identify unusual traffic flows, such as distributed denial
    of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors),
    and policy violations (e.g., a client system providing network services to
    other systems). This section provides a detailed discussion of NBA
    technologies. First, it covers the major components of the NBA technologies and
    explains the architectures typically used for deploying the components. It also
    examines the security capabilities of the technologies in depth, including the
    methodologies they use to identify suspicious activity. The rest of the section
    discusses the management capabilities of the technologies, including
    recommendations for implementation and operation. 




    Components and Architecture


    This section describes the major components of typical NBA solutions and illustrates the most common network architectures for these components. It also provides recommendations for the placement of certain components.


    Typical Components 


    NBA solutions usually have sensors and consoles, with some products also offering management servers (which are
    sometimes called analyzers). NBA sensors are usually available only as appliances. Some sensors are similar to network-based IDPS sensors in that they sniff packets to monitor network activity on one or a few network segments.
    Other NBA sensors do not monitor the networks directly, but instead rely on network flow information provided by routers and other networking devices. Flowrefers to a particular communication session occurring between hosts. There
    are many standards for flow data formats, including NetFlow and sFlow. Typical flow data particularly relevant to intrusion detection and prevention includes the following:

    1. Source and destination IP addresses

    2. Source and destination TCP or UDP ports or ICMP types and codes

    3. Number of packets and number of bytes transmitted in the session

    4. Timestamps for the start and end of the session.