A network behavior analysis (NBA) system examines network traffic or statistics on
network traffic to identify unusual traffic flows, such as distributed denial
of service (DDoS) attacks, certain forms of malware (e.g., worms, backdoors),
and policy violations (e.g., a client system providing network services to
other systems). This section provides a detailed discussion of NBA
technologies. First, it covers the major components of the NBA technologies and
explains the architectures typically used for deploying the components. It also
examines the security capabilities of the technologies in depth, including the
methodologies they use to identify suspicious activity. The rest of the section
discusses the management capabilities of the technologies, including
recommendations for implementation and operation.
Components and Architecture
This section describes the major components of typical NBA solutions and illustrates the most common network architectures for these components. It also provides recommendations for the placement of certain components.
NBA solutions usually have sensors and consoles, with some products also offering management servers (which are
sometimes called analyzers). NBA sensors are usually available only as appliances. Some sensors are similar to network-based IDPS sensors in that they sniff packets to monitor network activity on one or a few network segments.
Other NBA sensors do not monitor the networks directly, but instead rely on network flow information provided by routers and other networking devices. Flowrefers to a particular communication session occurring between hosts. There
are many standards for flow data formats, including NetFlow and sFlow. Typical flow data particularly relevant to intrusion detection and prevention includes the following:
1. Source and destination IP addresses
2. Source and destination TCP or UDP ports or ICMP types and codes
3. Number of packets and number of bytes transmitted in the session
4. Timestamps for the start and end of the session.