Anomalous denied traffic detection

Goal

Looks for an unusually large spike in network traffic that was denied by network access control lists (ACL) or firewall rules. Such a burst of denied traffic is usually either a misconfigured application or firewall, or suspicious or malicious activity. Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), or engage in data exfiltration, may produce a burst of failed connections. This could also be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic.

Description

This model is based on a Deep Learning model that predicts the amount of traffic expected and compares it to the real value.

If the deviation is large enough it will produce an alert.

Characteristics

Name

Anomalous denied traffic detection

Data involved

Firewall denied events

Alert Generation

It produces an alert every time that the deviation of the real traffic with regards to the expected traffic is large enough.

Raw outputs of the model

A float value containing the estimation for the current interval.

PreviousAWS CloudTrail rare Method for a User NextAnomalous outbound traffic

Last updated 2 months ago