With increasing number of cyber threats most of the cyber security team doesn’t have the capacity to manually detect, monitor, and defend against all. Effective cyber threat management requires leveraging automation to inform decisions.
OwlDQ framework, provides organizations the ability to load and process diverse security data feeds at scale in order to detect network data anomalies. The OwlDQ alerts can enable network admins to respond to these events in timely manner.
Here we walk through a scenario to detect anomalies with network traffic dataset.
IP address Validation
Detect the unusual network traffic patterns based on locations.
Identify the suspicious packets based on size.
Detect the malicious activity based on source and destination IP addresses.
-df "yyyy-MM-dd" -loglevel INFO -h 10.142.0.29:5432/owltrunk -owluser admin \
-fpgsupport .000000001 -fpgconfidence 0.4
Which components did we use?
OwlDQ address the issue of efficient network traffic classification by performing unsupervised anomaly detection and use this information to create dynamic rules that classify huge amounts of Infosec data in real time.
By providing Infosec dataset along with anomaly records, OwlDQ outlier and pattern algorithms found the anomaly in the network traffic. It mainly detect the following anomalies.
Traffic between Atlanta->Texas
The packet size extremely low between Atlanta->Texas
Atlanta source IP and Texas Destination IP.
Realtime OwlDQ can provide the alerts on network traffic anomalies which can help network admins to do further deep analysis and take preventative measure which is daunting task with huge amount of data.