40-2
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 40 Managing IPS Anomaly Detection
Understanding Anomaly Detection
Knowing When to Turn Off Anomaly Detection, page40-4
Configuring Anomaly Detection Signatures, page 40-4
Configuring Anomaly Detection, page 40-6
Worm Viruses
Worm viruses are automated, self-propagating, intrusion agents that make copies of themselves and then
facilitate their spread. Worm viruses attack a vulnerable host, infect it, and then use it as a base to attack
other vulnerable hosts. They search for other hosts by using a form of network inspection, typically a
scan, and then propagate to the next target. A scanning worm virus locates vulnerable hosts by
generating a list of IP addresses to probe, and then contacts the hosts. Code Red worm, Sasser worm,
Blaster worm, and the Slammer worm are examples of worms that spread in this manner.
Anomaly detection identifies worm-infected hosts by their behavior as a scanner. To spread, a worm
virus must find new hosts. It finds them by scanning the Internet using TCP, UDP, and other protocols
to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a
source IP address that generates events on the same destination port (in TCP and UDP) for too many
destination IP addresses.
The events that are important for TCP are non-established connections, such as a SYN packet that does
not have its SYN-ACK response for a given amount of time. A worm-infected host that scans using TCP
generates non-established connections on the same destination port for an anomalous number of IP
addresses.
The events that are important for UDP are unidirectional connections, such as a UDP connection where
all packets are going in only one direction. A worm-infected host that scans using UDP generates UDP
packets but does not receive UDP packets on the same IP address within a time-out period on the same
destination port for multiple destination IP addresses.
The events that are important for other protocols, such as ICMP (protocol number 1), are from a source
IP address to many different destination IP addresses, that is, packets that are received in only one
direction.
Caution If a worm virus has a list of IP addresses it should infect and does not have to use scanning to spread
itself (for example, it uses passive mapping—listening to the network as opposed to active scanning), it
will not be detected by anomaly detection worm policies. Worm viruses that receive a mailing list from
probing files within the infected host and email this list will not be detected, because no Layer 3 or Layer
4 anomaly is generated.
Anomaly Detection Modes
Anomaly detection initially conducts a “peacetime” learning process when the most normal state of the
network is reflected. Anomaly detection then derives a set of policy thresholds that best fit the normal
network. This is done in two phases: an initial learning mode phase, followed by the ongoing operational
detect mode phase.
Anomaly detection has the following modes:
Learning accept mode (initial setup)