Network Anomaly Detection rules help detect traffic anomalies that may be indistinguishable from normal device activity at the network level. To detect such anomalies, the application analyzes the protocol attributes received in registered network sessions. A Network Anomaly Detection rule is triggered if any attributes, their values and/or patterns described in the rule are found. When a rule is triggered, Kaspersky Anti Targeted Attack Platform registers an event.
Protocol attributes consist of various characteristics of traffic in network sessions. These attributes are saved in a separate database on the Kaspersky Anti Targeted Attack Platform Server. The database used to store the attributes of protocols provides high-speed processing of both incoming data and requests for their analysis. To ensure that rule-based analysis has minimal impact on the DBMS and on the overall performance of the application, attribute search queries are executed in SQL. You can generate the necessary SQL queries in the rules yourself or use rule templates with ready-made SQL queries.
Network Anomaly Detection rule-based analysis is supported for attributes of the following protocols:
The application saves protocol attributes in the database when using the method for getting attributes of protocols. You can enable or disable the method. To use the method for getting attributes of protocols, the Network Session Detection method must also be enabled. Both of these methods must be enabled on all nodes with installed application components from which information is received.
A rule-based search for network anomalies is performed among the protocol attributes received in the database during specific time intervals. The length of the time interval for each rule is set by the Search depth setting. The duration is counted from the moment of the end boundary of the interval. Depending on how the rule is started, the time of the end boundary of the interval can be defined as follows:
To quickly configure the settings of the created Network Anomaly Detection rules, you can use the built-in rule templates. These templates are provided by Kaspersky. A list of templates that are built into the application is available immediately after installing the application. You can update the list of built-in templates by installing updates.
If a built-in template is not selected when creating a rule, the rule settings must be configured entirely manually (including writing the SQL query to search for protocol attributes in the database). In this case, the User-defined template is displayed as the template used for the rule. This same template is displayed if you have selected a built-in template and then change the settings that ensure the operating logic according to the selected built-in template, specifically the SQL query text or the main event registration settings. If you change other settings of the rule (for example, the automatic scheduled start settings or the threshold values in the variables of the SQL query) and all template values in the rule are not unlocked, the link between the rule and the selected built-in template is preserved.
The maximum number of network anomaly detection rules is 200.
Network Anomaly Detection rules can be enabled or disabled. If a rule is disabled, the application does not start this rule according to the configured schedule, and also blocks the capability to manually start this rule.
You can manage the network anomaly detection rules in the Intrusion detection section, Network Anomaly Detection subsection. If you need to use dictionary values (for example, lists of IP addresses) for variables in SQL queries, you can create dictionaries with the necessary data in the Settings, Dictionaries section.
When a Network Anomaly Detection rule is triggered, an event is registered using a system event type, which is assigned the code 4000003003.
Events in traffic and network sessions are not rotated synchronously. Because of this, when drilling down from an event in traffic to the list of network sessions, this list may be empty.
Users with the Senior security officer role can manage network anomaly detection rules. Users with the Security auditor role can view rules and dictionaries.