Beginning Anomaly Detection Using

311

of attacks that exploit the vulnerabilities of the telnet or asset service. Eventually, one of 

the targeted machines will respond, and the hacker will get into the system and continue 

the penetration of the internal network until they accomplish what they came for.

Typically, networks have a pattern of usage, and there are database servers, web 

servers, development servers, payroll systems, QA systems, and end user-facing systems. 

Usually the well-known, expected behavior is seen for a long period of time. Then 

there is a change that is observed and expected over a long period of time as to how the 

machines are used as well as how the networks are used. We can also measure the ways 

machines talk to each other and via which service/ports.

Using anomaly detection, we can detect if a specific port or service on a specific 

machine or machines is being connected to or transacted with at an abnormal rate, 

meaning that there is some kind of intrusion activity taking place where some intruder is 

trying to hack into the specific system or systems. This is extremely valuable information 

to the operations team, who can quickly pull in the cybersecurity experts and try to drill 

down into what is really going on and take any kind of preventive or proactive action 

rather than reactivate. This could be the difference between the business staying afloat 

or the business shutting down (at least temporarily). There have been instances where 

a single cyber security intrusion almost bankrupted a business, costing hundreds of 

millions of dollars in damages. This is the reason why the cybersecurity domain is 

very interested in deep learning, and the use cases that involve deep learning anomaly 

detection are some of the top use cases in the cyber security and networking space in 

this day and age. Figure 

8-14

 shows an anomaly in the number of TCP connections on 

different service ports.

Figure 8-14.  TCP connections over service ports

Chapter 8   praCtiCal Use Cases of anomaly DeteCtion

312

Not all the use cases are doom and gloom in cyber security or networking; anomaly 

detection can also be involved in determining whether we need to upgrade some of the 

systems, whether our systems are able to sustain the traffic for now and in the future, 

whether any node capacity planning needs to take place to bring everything back 

to normal, and so on. This is again very important for the operations team so it can 

understand if there are trends which were not foreseen a year ago that are now affecting 

the normal to abnormal behavior of the network. It is very important to know right now 

rather than later when it is too late and to start proactively planning to deal with this 

origin traffic or transactions that are happening in our network against some specific 

machine or machines.

Download 26,57 Mb.

Do'stlaringiz bilan baham: