Cisco IPS: Anomaly detection Introduction

Cisco IPS 4240 establishes a baseline (normal traffic) and uses this baseline to check for deviation from traffic patterns to determine if there is anomaly in the network. This detection technique mainly detects worm attacks originated from host/s in the network. Worm propagated by email, instant messages and file sharing cannot be detected by anomaly detection.

Anomaly detection uses signature ID from 13000 to 13008.
anomaly detection1

Anomaly detection setting description
The anomaly detection configuration page consists of five tabs namely Operation Settings, Learning Accept Mode, Internal Zone, Illegal Zone and External Zone. This section describes the settings of each tab, understand the settings helps you to determine how you customize the anomaly detection for Cisco IPS.

Operation Settings

Operation Settings default.

Operation Settings default.

Worm timeout is the time anomaly detection will wait after an worm outbreak before continuing learning the baseline of the network. The default is set to 10 minutes which means the learning will resume 10 minutes after the worm outbreak.

Configure IP address ranges to ignore during AD processing allows you to set a list of IP addresses or one IP address that will be excluded from the baseline learning.

Learn Accept Mode

Learning Accept Mode default
Learning Accept Mode default

There are two actions – Rotate and Save Only. Rotate saves the baseline every learning interval and loads the current latest baseline. Save Only saves the baseline every learning interval but does not load the baseline.

The learning interval is set as 24 hours, which means every 24 hours there will be new baseline saved and loaded.

Internal Zone

Specify your company's IP address.
Specify your company’s IP address.

Internal zone contains your organization network or your internal private network. In this example are my internal network. I can make the internal zone more specific by including and instead of the whole subnet, this is because these three hosts are actual hosts that are hosted in the internal network to make the baseline result more accurate with the least false positives you should consider making the internal zone settings more specific.

anomaly detection4

You can define the TCP port that you want the IPS to watch out for building the baseline.

Default threshold.
Default threshold.

The default scanner threshold is the number of hosts scanned by a single scanner per minute. If the scanner threshold is exceeded, IPS will consult the threshold histogram to determine if it is a worm attack.

The default values under the threshold histogram means:
1. No more than 1 host can scan more than 100 hosts (HIGH), if this is violated a worm attack is determined.

2. No more than 3 hosts can scan between 20 and 99 hosts (MEDIUM), if this is violated a worm attack is determined.

3. No more than 10 hosts can scan between 5 and 19 hosts (LOW), if this is violated a work attack is determined.

The UDP protocol tab has the same setting options as in TCP protocol tab and Other protocol tab.
The UDP protocol tab has the same setting options as in TCP protocol tab and Other protocol tab.

Illegal Zone
anomaly detection5

The illegal zone contains the networks that are not available, not expected or invalid. In my example I do not expect traffic to be sent to these addresses as seen in the screenshot. I can also include unallocated IP address from the pool, since in my lab environment only three IP addresses are used and others are unavailable.

External Zone
anomaly detection6

Any undefined IP addresses in Internal Zone and Illegal Zone belongs to External Zone.

Anomaly Detection Knowledge Base
anomaly detection7

If in Learning Accept Mode Action you chose “Save Only” then the knowledge base will be saved but not loaded you will have to choose which knowledge base to be loaded for your anomaly detection policy, if you have chosen “Rotate” then the newly created knowledge base is loaded automatically.

Anomaly detection policy assignment
You assign an anomaly detection policy to a virtual sensor.

anomaly detection8

There are three AD operational mode: Detect, Inactive and Learn.
anomaly detection8a

Detect suspends anomaly detection learning when there is a suspected worm attack, Inactive is self-explanatory and Learn continues to learn despite there is a suspected worm attack. If you do not wish to include attack traffic into your knowledge base you should choose Detect.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s