40-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter40 Managing IPS Anomaly Detection
Understanding Anomaly Detection
Although anomaly detection is in detect mode by default, it conducts an initial learning accept mode
for the default period of 24 hours. We assume that during this phase no attack is being carried out.
Anomaly detection creates an initial baseline, known as a knowledge base, of the network traffic.
The default interval value for periodic schedules is 24 hours and the default action is rotate, meaning
that a new knowledge base is saved and loaded, and then replaces the initial knowledge base after
24 hours.
Keep the following in mind:
Anomaly detection does not detect attacks when working with the initial knowledge base, which
is empty. After the default of 24 hours, a knowledge base is saved and loaded and now anomaly
detection also detects attacks.
Depending on your network complexity, you may want to have anomaly detection in learning
accept mode for longer than the default 24 hours. You configure the mode in the Virtual Sensors
policy; see Defining A Virtual Sensor, page37-5. After your learning period has finished, edit
the virtual sensor and change the mode to Detect.
Detect mode
For ongoing operation, the sensor should remain in detect mode. This is for 24 hours a day, 7 days
a week. Once a knowledge base is created and replaces the initial knowledge base, anomaly
detection detects attacks based on it. It looks at the network traffic flows that violate thresholds in
the knowledge base and sends alerts. As anomaly detection looks for anomalies, it also records
gradual changes to the knowledge base that do not violate the thresholds and thus creates a new
knowledge base. The new knowledge base is periodically saved and takes the place of the old one
thus maintaining an up-to-date knowledge base.
Inactive mode
You can turn anomaly detection off by putting it in inactive mode. Under certain circumstances,
anomaly detection should be in inactive mode, for example, if the sensor is running in an asymmetric
environment. Because anomaly detection assumes it gets traffic from both directions, if the sensor
is configured to see only one direction of traffic, anomaly detection identifies all traffic as having
incomplete connections, that is, as scanners, and sends alerts for all traffic flows.
The following example summarizes the default anomaly detection configuration. If you add a virtual
sensor at 11:00 pm and do not change the default anomaly detection configuration, anomaly detection
begins working with the initial knowledge base and only performs learning. Although it is in detect
mode, it cannot detect attacks until it has gathered information for 24 hours and replaced the initial
knowledge base. At the first start time (10:00 am by default), and the first interval (24 hours by default),
the learning results are saved to a new knowledge base and this knowledge base is loaded and replaces
the initial knowledge base. Because the anomaly detection is in detect mode by default, now that
anomaly detection has a new knowledge base, the anomaly detection begins to detect attacks.
Anomaly Detection Zones
By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of
destination IP addresses. There are three zones, each with its own thresholds: internal, illegal, and
external.
The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By
default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP
addresses in the internal or illegal zone are handled by the external zone.
We recommend that you configure the internal zone with the IP address range of your internal network.
If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and
the external zone is all the traffic that goes to the Internet.