Anomaly detection

[Craig Merchant]

Carter,

Thank you so much for your analysis of the APT1 threats.  Those emails were extremely educational.

I wanted to pick your brain about a couple of things related to anomaly detection...

We backhaul all remote offices through a central network that Argus can monitor.  Since those remote offices use DHCP, it's hard for Argus to build a reliable model of "normal" behavior by IP address.   And it can't see the MAC addresses of flows from those remote offices.  What's the best approach for anomaly detection in that kind of scenario?  Do you look at the producer/consumer metrics of the whole DHCP subnet and then compare individual flows against that baseline?

What kind of anomaly detection strategy do you use for environments where you have farms of different functional roles - web, MTA, database, etc.?  Do you recommend building a behavioral model by individual host or would you compare individual hosts against a baseline for that class of system?

Thanks.

Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20130516/2d2d626d/attachment.html>