Beginning Anomaly Detection Using

310

attacks is a denial of service (DOS) attack. When a denial of service attack is launched 

against your company’s website or portal so as to disrupt service to your customers, 

typically a large number of machines are mobilized to run simultaneous connections and 

random useless transactions against your portal (which is probably dealing with some 

kind of a payment service for customers). As a result, the portal isn’t responsive to the 

customers, eventually leading to very poor customer experience and a loss of business.

Anomaly detection can detect the anomalous activity since we’re training the system 

on data that has been collected for a long period of time. This data is comprised of 

typical use behavior, patterns in payment, how many users are active, and how much 

the payment is at this particular time, as well as seasonal behaviors and other trends 

that exist for the payment portal. When a DOS attack is suddenly launched against your 

payment portal, it is very possible for your anomaly detection algorithm to detect such 

activity and quickly notify the infrastructure or operational teams who can take corrective 

action such as setting up different firewall rules or better routing rules that attempt to 

block the anomalous or bad actors from launching the attack or prolonging the attack 

against the portal. Figure 

8-13

 is example of anomaly monitoring network flows.

Another example is when hackers try to get into a system given that they were 

somehow able to set up a Trojan to get into the network in the first place. Typically, this 

process involves a lot of scanning, such as port or IP scanning, to see what machines exist 

in the network when the services are being run. The machines may be running SSH and 

telnet (which is easier to crack), and the hacker may try to launch several different types 

Download 26,57 Mb.

Do'stlaringiz bilan baham: