[Bro-Dev] Alarms based on abnormal traffic patterns
vern at icir.org
Mon Dec 12 09:59:30 PST 2011
> Would you guys say that Bro implementing abnormal traffic analysis (ie
> deviation from a baseline) would be outside of Bro's scope?
Outside of its scope in terms of what's been developed, yes. It could
be a reasonable framework though to use to implement such analysis.
HOWEVER: this sort of anomaly detection turns out to be much trickier
than it would appear. The problem is that non-attack traffic has enough
variation in it that often it's very hard to find a useful definition
of "abnormal" such that you can alarm on it without endlessly annoying
the operator who has to field the alarms. That said, sometimes one can
indeed find a sweet spot between normal behavior and problematic behavior.
But it's very tricky (and usually publishable research if you can develop
such a detector that works in multiple environments).
More information about the bro-dev