[Bro-Dev] Alarms based on abnormal traffic patterns

Vern Paxson vern at icir.org
Mon Dec 12 09:59:30 PST 2011


> Would you guys say that Bro implementing abnormal traffic analysis (ie
> deviation from a baseline) would be outside of Bro's scope?

Outside of its scope in terms of what's been developed, yes.  It could
be a reasonable framework though to use to implement such analysis.

HOWEVER: this sort of anomaly detection turns out to be much trickier
than it would appear.  The problem is that non-attack traffic has enough
variation in it that often it's very hard to find a useful definition
of "abnormal" such that you can alarm on it without endlessly annoying
the operator who has to field the alarms.  That said, sometimes one can
indeed find a sweet spot between normal behavior and problematic behavior.
But it's very tricky (and usually publishable research if you can develop
such a detector that works in multiple environments).

		Vern


More information about the bro-dev mailing list