Why would you need Network Behavior Analysis once you have deployed flow collector and traffic reporting? Well, there are scenarios where automatic anomaly detection goes far beyond capabilities of flow collectors. Are you using Flowmon Monitoring Center and still don’t have Flowmon ADS? Find out in 7 minutes how you can extend your Flowmon deployment with Network Behavior Analysis module.
Flowmon Monitoring Center (FMC) provide useful information about volume of network traffic and its structure. FMC allows us to work with statistics, charts and reports and drill-down to any particular traffic of our interest.
In cases of attacks or scans, we need to find out incident originator and additional event information. This can be achieved manually using Flowmon Monitoring Center, but it is time consuming process. Moreover, due to a nature of some attacks or security incidents, we cannot detect all existing threats using FMC.
We developed software module extension called Flowmon ADS (Anomaly Detection System) to address this problems. Flowmon ADS automatically detects network incidents, traffic anomalies, provides with reports and events details and thus significantly improves network security. Using artificial intelligence and data from Flowmon Probes and Collectors it is possible to detect various types of attacks, malware activities, configuration issues or policy violations.
Video above shows how you can use FMC to detect security incidents. Selecting time interval in Analysis, setting aggregation by source IP address and listing flows using specific filter (“flags S and not flags PURFA”) you can see potential port scans. You can also detect SSH attack using Top N statistics by any ports and using filter “port 22”.
Figure 1: SSH dictionary attack detection using FMC.
In Flowmon ADS you immediately see automatically detected security incidents. You are provided with information about originator of incident, targets, event details and event evidence (flows, based on which event was detected). Flowmon ADS gives you additional information about attack – for example in case of port scanning, it will show you type of scanning (horizontal, vertical or chaotic) or in case of SSH attack, it will show you probability of success. Moreover, Flowmon ADS will help you detect security incidents, which cannot be detected using only FMC – for example communication with blacklisted IP addresses or users hiding their network activities using TOR anonymizers.
Figure 2: SSH dictionary attack detection using Flowmon ADS.
Flowmon ADS detects and reports on malicious activities in real-time. Thanks to utilizing artificial intelligence Flowmon ADS extends Flowmon Probe and Collector capabilities and is able to detect and report advanced threats and network anomalies. Using Flowmon ADS you can improve network management and security.
Do you want to try Flowmon Monitoring Center and Flowmon ADS yourself? Check out our live demo or download free trial.