You are here: Webhelp 5.5R7 > Threat Prevention > Abnormal Behavior Detection

Abnormal Behavior Detection

This feature may not be available on all platforms. Please check your system's actual page if your device delivers this feature.

There are various threat attacks in networks, such as Web server attacks ,DoS Flood attacks, application layer attacks , Port/Server scan attacks , Amplification attacks, SSL attacks etc. These threats have demonstrated a wide variety of abnormal behaviors. System provide an abnormal behavior detection function based on security zones. This function inspects the sessions of the detected object in multiple factors. When one detected object has multiple abnormal parameters, system will analyze the relationship among the abnormal parameters to see whether an abnormal behavior formed. If there is an abnormal behavior, system will send the alarm message and generate the threat log(s).

The followings are the concept description of the Abnormal Behavior Detection:

  • Detected object: The protected objects configured in the Host Defender in this chapter and the protected objects configured in Configuring Critical Asset Object.
  • Parameter: The basic statistical factor of a session, like the received bytes of inbound sessions per second. The statistical values of the parameters are used by the system to judge whether the detected object is abnormal or not.

  • Baseline: The baseline is the benchmark for the parameters. Value of the baseline is calculated by the system according to the historical data. When the baseline value is higher than the upper limit or lower than the lower limit, the baseline value is considered to be abnormal. If several baseline values of the detected object are abnormal, system will analyze the association of these abnormal baselines, and use discretion in deciding whether this detected object has abnormal behavior. If it has abnormal behavior, system will generate threat logs.

  • Abnormal behavior mode database: The abnormal behavior mode database includes the abnormal information of the traffic, which are detecting rules, description of the abnormalities, the reason for the abnormalities, and the suggestions. The information in the database helps you analyze and resolve the abnormal problems. By default, system will update the database at the certain time everyday, and you can modify the updating settings according to your own requirements. System supports automatically update and manual update, see Upgrading System.
 Abnormal Behavior Detection is controlled by license. To use Abnormal Behavior Detection, apply and install the StoneShield license.

Host Defender

You can enable the Host Defender function for the specific zone. Enabling this function can achieve the following targets:

  • Establish a data model for each host whose host name can be identified
  • Analyze the network behavior of host
  • Define the corresponding signature dimension for different network behaviors.
  • Detect the abnormal behavior of the host based on the signature dimension and find the more hidden threat attack.

The results are displayed in the iCenter page. For more information, see Viewing_the_Abnormal_Behavior_Detection_Information.

To enable Host Defender, take the following steps:

  1. Create a zone. For more information, refer to Security Zone;
  2. In the Zone Configuration dialog box, select Threat Protection tab.
  3. Select the Enable check box after the Abnormal Behavior Detection.
  4. Select the Host Defender check box. To enable the abnormal behavior detection of the HTTP factor, select the Advanced Protection check box. To enable the DDoS protection for the host, select the DDoS Protection check box. To capture and save the corresponding evidence that leads to the alarm of abnormal behavior, select Forensic.

DNS Defender

DNS, as the domain name resolution protocol, is designed to resolve fixed domain names to IP addresses. Due to the use of convenient and widely used domain names, the attacker will take different means to use the domain name to generate an attack. For example, an IP address can correspond to multiple domain name. The server, according to the Host field of the HTTP packet, can find the Goal URL, which the malware will use by modifying the Host field to disguise the domain name and generate the abnormal behavior. DGA, domain generation algorithm, will generate a large number of pseudo random domain names that will be used by the malware. ISP DNS hijack adds some of the malicious domain names used by the malicious software to its blacklist.

To solve these problems, the DNS domain name analysis can be used as an important basis to determine the malicious behavior. System will monitor the DNS response packets after the host defender function is enabled and establish the DNS mapping list. The DNS mapping list is used to store domain names and IP addresses, the pseudo random domain name generated by DGA algorithm, and the black and white domain names updated from the cloud. The device can detect malware and abnormal behavior attacks according to the DNS mapping, generate the threat logs, and display the results in the iCenter page. For more information, see Viewing_the_Abnormal_Behavior_Detection_Information.

Viewing the Abnormal Behavior Detection Information

To view the Abnormal Behavior Detection information, take the following steps:

  1. Select iCenter.
  2. In Threat tab, click , select Detected By and Abnormal Behavior Detection in the drop-down list, and then click the threat entry name in the list.
  3. Click the Threat Analysis tab and view the Abnormal Behavior Detection information and the trend chart of the actual value and predictive value ( baseline, thresholds ) of the detected object.
  4. Click the Knowledge Base tab to view the threat attack description information.