40-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter40 Managing IPS Anomaly Detection
Configuring Anomaly Detection
Tip Although you can use Security Manager to configure how knowledge bases are generated, you cannot
manage the knowledge bases themselves. Use the IPS Device Manager (IDM), or IPS Manager Express
(IME) instead. Using IDM (or IME), you can load, delete, and rename knowledge bases, and upload
them to or download them from an external server. For more information about what you can do, see the
online help for IDM or IME.
Related Topics
Anomaly Detection Modes, page 40-2
Configuring Anomaly Detection, page 40-6
Understanding Anomaly Detection Thresholds and Histograms, page 40-9
Step 1 Do one of the following to open the Anomaly Detection policy you want to modify:
(Device view) Select IPS > Anomaly Detection from the Policy selector.
(Policy view) Select IPS > Anomaly Detection from the Policy selector. Select an existing policy
or create a new one.
Step 2 Click the Learning Accept Mode tab and configure the following options:
Automatically accept learning knowledge base—Whether to have the sensor automatically update
the knowledge base. If you do not select this option, anomaly detection does not automatically create
a new knowledge base, and you cannot configure the other options on this tab.
Action—Whether to rotate or save the knowledge base when it is created.
If you choose Rotate (the default), the new knowledge base is created and loaded according to the
schedule you define. If you choose Save Only, the new knowledge base is created but not loaded.
You can examine it and decide whether to load it into anomaly detection using IDM or IME.
Step 3 In the Schedule field, select the schedule for generating a new knowledge base. The default schedule is
periodic starting at 10 AM and running for 24 hours. Options are:
Periodic—Base the schedule on a recurring period. Configure the following options:
Start Time—The starting time for the learning window in hh:mm:ss format (24-hour clock).
Learning Interval in hours—How long you want anomaly detection to learn from the network
before creating a new knowledge base.
Calendar Schedule—Base the schedule on specific times of day and days of the week. The dialog
box changes to show Time of Day and Days of the Week tables. These times apply to every day
selected; you cannot specify different times for different days.
To add a time or day, click the Add Row (+) button beneath the appropriate table. The time is
in hh:mm:ss format (24-hour clock). For day, select the day from the list.
To edit an existing time or day, select it and click the Edit Row (pencil) button.
To delete a time or day, select it and click the Delete Row (trash can) button. Ensure that you
have at least one time and one day configured.
Understanding Anomaly Detection Thresholds and Histograms
Anomaly detection uses thresholds and histograms to determine if scanning behavior is an attack.