Network Anomaly Detection rules help detect traffic anomalies that may be indistinguishable from normal device activity at the network level. To detect such anomalies, the application analyzes the protocol attributes received in registered network sessions. A Network Anomaly Detection rule is triggered if any attributes, their values and/or patterns described in the rule are found. When a rule is triggered, Kaspersky Industrial CyberSecurity for Networks registers an event.
Protocol attributes consist of various characteristics of traffic in network sessions. These attributes are saved in a separate database on the Kaspersky Industrial CyberSecurity for Networks Server. The database used to store the attributes of protocols provides high-speed processing of both incoming data and requests for their analysis. To ensure that rule-based analysis has minimal impact on the DBMS and on the overall performance of the application, attribute search queries are executed in SQL. You can generate the necessary SQL queries in the rules yourself or use rule templates with ready-made SQL queries.
Network Anomaly Detection rule-based analysis is supported for attributes of the following protocols:
The application saves protocol attributes in the database when using the method for getting attributes of protocols. You can enable and disable this method. To use the method for getting attributes of protocols, the Network Session Detection method must also be enabled. Both of these methods must be enabled on all nodes with installed application components from which information is received.
A rule-based search for network anomalies is performed among the protocol attributes received in the database during specific time intervals. The duration of the time interval for each rule is defined by the Search depth parameter. The duration is counted from the moment of the end boundary of the interval. Depending on how the rule is started, the time of the end boundary of the interval can be defined as follows:
To quickly configure the settings of the created Network Anomaly Detection rules, you can use the built-in rule templates. These templates are provided by Kaspersky. A list of templates that are built into the application is available immediately after installing the application. You can update the list of built-in templates by installing updates.
If a built-in template is not selected when creating a rule, the rule settings must be configured entirely manually (including writing the SQL query to search for protocol attributes in the database). In this case, the User-defined template is displayed as the template used for the rule. This same template is displayed if you have selected a built-in template and then change the settings that ensure the operating logic according to the selected built-in template, specifically the SQL query text or the main event registration settings. If you change other settings of the rule (for example, the automatic scheduled start settings or the threshold values in the variables of the SQL query) and all template values in the rule are not unlocked, the link between the rule and the selected built-in template is preserved.
The maximum number of network anomaly detection rules is 200.
Network Anomaly Detection rules can be enabled or disabled. If a rule is disabled, the application does not start this rule according to the configured schedule, and also blocks the capability to manually start this rule.
You can manage Network Anomaly Detection rules under Detection rules → Network Anomaly Detection. If you need to use dictionary values (for example, lists of IP addresses) for variables in SQL queries, you can create dictionaries with the necessary data under Settings → Dictionaries.
When a Network Anomaly Detection rule is triggered, an event is registered using a system event type, which is assigned the code 4000003003.