Comprehensive user manual for NetFlow Auditor Standard and Enterprise Editions.

Forensics: 7. Creating Anomaly Detection Baseline Alerts

A Traffic analysis in Forensics can be saved as an Intelligent Baseline Network Behavior Anomaly Detection Alert. (Baseline Alert or IB-NBAD)

Where a traffic analysis already has measurement or time fields in the Criteria in the Dimensions the analysis cannot be saved as an alert.

Two main processes occur for each Anomaly Detection Baseline Alert.

  • Learning
    Continually builds per minute baseline statistics of all measurements - Bytes, bps, Packets, pps, Flows, Packet-Size, Count and TcpFlags for each statistical computation ie Sum, Average, Standard Deviation, Minimum and Maximum

    The learning processes calculate the latest statistics for each Anomaly Detection Baseline and merges them hourly with previously learned data for each corresponding hour per weekday period.

  • Alerting
    The alerting processes compare the current traffic against the learned statistics for each Anomaly Detection Baseline.

    The alerting schedule is checked by default in 5 minutes intervals for each of the last 5 minutes. The minimum interval is 1 minute.

The "Forensics Template / Report / Alert" screen controls the setup of an Anomaly Detection and includes both learning and alerting schedule parameters.

Creating a new Anomaly Detection Alert

Two methods are available to create an Anomaly Detection: Single Item - Single Click, or Saving a Baseline Alert from Custom Forensics or Forensics Analysis.

Single Item - Single Click
Clicking on an item in a flow-field configuration screen and pressing the Anomaly Detection button will bring you into the "Forensics Template / Report / Alert" screen from where you can either save-and-go or choose to extend by tuning the filter at anytime

The Anomaly Detection button is available from any of the Configuration screens; Device Group, Device, Interface Group, Interface, MPLS, Business Groups, Account, CostCentre, IPv4 and IPv6, IP Range, IP Allocation, IP Domain, IP Country Blocks, ASN, Applications, Protocol, Known Service Port, All Ports, QoS, Tos, Tos Precedence, PHB, PHB Class






Saving a Baseline Alert from Custom Forensics or Forensics Analysis
Click on the top toolbar "Save" button in a "Forensics" or a "Custom Forensics" screen provides a method of reaching the Baseline Alert screen thats suits more complex baselines made up of multiple criteria and multiple dimensions.





The Forensics Template/Report/Alert Screen

The Anomaly Detection Baseline Alerting Parameters: includes Detection Header Information, "Definition", "Schedule", "Alert Action", "Delivery" and "Baseline Alert Criteria"



Command Buttons

  • Save New - Save as a new Baseline Alert. Where the Baseline Alert is based on an existing Baseline Alert, Schedule Report or a Template the original one will not be changed.
  • Save Back - Save back to the original baseline alert after modifying some options.
  • Report - Go back to Forensics screen to check or adjust the baseline alert traffic options in "Forensics".
  • Filter - Go back to "Custom Forensics" to adjust the baseline alert traffic options in "Forensics".
  • Suspend - Suspend this baseline alert.
  • Resume - Recover checking this baseline alert.
  • Cancel - Go back to the previous page.
  • Delete - Delete this baseline alert as well as the learned baseline data if it exists.

Saving back a baseline alert will clean all learned baseline data if changes have been made to the criteria or dimensions of the defined traffic.


Title
Name of the Anomaly Detection Baseline Alert.

Description
Additional information for the Baseline Alert.

Report Type
Choose "Baseline Alert" Report Type to configure the Baseline Anomaly Detection .
Other available options allow you to save this report as a Template, a Scheduled Report, a Threshold Alert or an Intelligent Baseline Anomaly Detection Alert.

Category
The category is fixed as "Baseline Alert".

Add Link
Enabling the "Add Link" option will add an icon to the generated Baseline Alert. The icon provides a click back link to the "Forensics" screen from the generated Baseline Alert.



In order for the click back to function correctly the server must be correctly configured in the "Site Configuration" screen under "Administrator" in the "Configuration" panel.



Data Period
Data Period is set to Schedule Frequency - Baseline Alert is checked each interval.

Definition
The following options in "Custom Forensics" and "Forensics" Filter tab can be overwritten here.
  • "Aggregated Data",
  • "Report Layout",
  • "Bidirectional Reverse Criteria" and
  • "Duplication"

Schedule From
Defines the alerting schedule instance checking start time point.

Schedule To
Defines the alerting schedule instance checking end time point.
Available if "Run Indefinitely" is un-ticked.

Run Indefinitely
The alerting schedule instance will be active indefinitely if it is ticked on.

Wait for Delayed
When the Baseline Alert includes multiple devices/exporters (routers or switches), the Baseline Alert will be delayed to run until all active device data has reached the scheduled time points. This is to ensure that alerts maintain integrity when dependent on multiple inputs.

Priority
Defines the priority of the alerting schedule.

Alert Category
Defines a category for the alert.

The alert category can be added in "Alert Category" screen, which can be entered by clicking the left menu "Category" under the Alert Administration in the "My Analytics" panel.

on No Data
Send an alert when there is no data for the defined traffic by "Forensics" if it is ticked on.

Alerting Level
Controls the sending of alerts to Email, Report Repositories and SNMP Traps and only sends those alerts above and including the Alerting Level when Anomaly Detection thresholds are breached.
  • Critical - Alert on critical events.
  • Warning - Alert on warning and critical events.
  • Information - Alert on information,warning and critical events.

Information and warning events will still show in the screen when Critical alerting level is selected and Information events will still show in the screen when Warning alerting level is selected.


over N Defined Event(s) and With M minutes
Controls the sending of alerts to Email, Report Repositories and SNMP Traps and only sends those alerts where the learned baseline threshold is breached N times within the defined M minutes period.

All events will still be shown in the Alert screen


Baseline Anomaly Detections produce few False Positives but this option can help to fine tune some alerting.

Delivery
The Anomaly Detection Baseline Alert can be sent to one or more email addresses, the Report Repository or an SNMP Trap Server.

The SMTP server and its service port, sender address and subject must be configured properly to allow send schedule report.



The Anomaly Detection Baseline Alert can be sent to an SNMP trap server.

The SNMP trap server and its relative information must be configured properly in "Site Configuration" screen.



The SNMP Trap codes are defined in the "SNMP Trap Code" screen.



The Anomaly Detection Baseline Alert can be specified to save to a directory in the Report Repository with each scheduled time stamp as the report name affix or copied to a specified report name in the report repository for viewing or to enable other applications to refer to the automatically refreshed file.

Delivery to "Directory" and "File" have 3 shared attribute options.
  • Private - only allows the report Owner and Administrator to browse the alert in the Report Repository.
  • Shared - allows any user who is logged into NetFlow Auditor to browse the alert.
  • Public - allows anyone to browse the given alert using a specified URL without being logged into NetFlow Auditor.

Baseline Alert Criteria

The criteria of an Anomaly Detection Baseline Alert can be based on any one or more measurements, Bytes, bps, Packets, pps, Flows, Packet-Size, Count and TcpFlags. The measurement value in the criteria is compared against the learned baseline data, instead of the absolute value.

When creating an Intelligent Baseline Network Behavior Anomaly Detection the Alert levels are pre-configured to Default Criteria to allow an easy One-Click Anomaly Detection Creation. The Default Alert criteria thresholds are the most appropriate baseline to compare against. Flexible options extend the Default Alert criteria:

Measurement> or <ThresholdStatisticAlert
bps>+100%bps MaxCritical
bps>+50%bps MaxWarning
bps>+10%bps MaxInformation
pps>+100%pps MaxCritical
pps>+50%pps MaxWarning
pps>+10%pps MaxInformation
Flows>+100%Flows MaxCritical
Flows>+50%Flows MaxWarning
Flows>+10%Flows MaxInformation
Count>+100%Count MaxCritical
Count>+50%Count MaxWarning
Count>+10%Count MaxInformation
TcpFIN>+100%TcpFIN MaxCritical
TcpFIN>+50%TcpFIN MaxWarning
TcpFIN>+10%TcpFIN MaxInformation
TcpSYN>+100%TcpSYN MaxCritical
TcpSYN>+50%TcpSYN MaxWarning
TcpSYN>+10%TcpSYN MaxInformation
TcpRST>+100%TcpRST MaxCritical
TcpRST>+50%TcpRST MaxWarning
TcpRST>+10%TcpRST MaxInformation
TcpPSH>+100%TcpPSH MaxCritical
TcpPSH>+50%TcpPSH MaxWarning
TcpPSH>+10%TcpPSH MaxInformation
TcpACK>+100%TcpACK MaxCritical
TcpACK>+50%TcpACK MaxWarning
TcpACK>+10%TcpACK MaxInformation
TcpURG>+100%TcpURG MaxCritical
TcpURG>+50%TcpURG MaxWarning
TcpURG>+10%TcpURG MaxInformation
TosCE>+100%TosCE MaxCritical
TosCE>+50%TosCE MaxWarning
TosCE>+10%TosCE MaxInformation

There are 3 threshold levels available "Information" (Green), "Warning" (Yellow) and "Critical" (Red).

The Anomaly Detection Baseline Build Learning Parameters includes "Baseline Build"

Over N Minutes Per Hour
The baseline learning schedule will calculate and merge the statistics for a hour only when there are over N minutes netflow data collected in this hour. The default is 30 minutes.

Send Alert if Exceptional Hour
A report will be sent to the recipients showing the traffic defined in the build versus the baseline that has been built as a background.

An Exceptional Hour is treated as abnormal traffic and will not be merged into the existing baseline.


Baseline learning criteria
Statistics Average, Min, Max and Standard Deviation of any measurement can be added to learning criteria.

The hour will treated as an Exceptional Hour if any one of the statistics of the current hour is ascertained to be incorrect.


Build From
Defines the learning schedule instance start time point.

Priority
Defines the priority of the learning schedule.

cron