Download - Anomaly Detection and Mitigation
![Page 1: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/1.jpg)
Anomaly Detection and Mitigation
![Page 2: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/2.jpg)
Outline
• DoS and DDoS• Anomaly Detection and Mitigation Systems• Cisco DDoS Anomaly Detection and Mitigation
Solutions• Cisco Traffic Anomaly Detector• Cisco Guard DDoS Mitigation• Example
![Page 3: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/3.jpg)
Denial of Service Attack
• Denial of Service (DoS)– Resource removal– Resource modification– Resource saturation
![Page 4: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/4.jpg)
DoS (continued)
![Page 5: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/5.jpg)
Distributed Denial of Service Attack
![Page 6: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/6.jpg)
Anomaly Detection and Mitigation Systems
• Establish baseline for network traffic through observation
• Checks traffic against baseline profile to look for:– Protocol anomaly– Network anomaly– Behavioral anomaly
![Page 7: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/7.jpg)
Anomaly Detection and Mitigation Systems (cont)
• Anomaly Detection Technique Characteristics:– Signatureless– Granular– Perform relational and behavioral based detection– Supports dynamic filtering– Includes antispoofing techniques– Detects day zero and minute zero attacks– Can highlight any interesting traffic– Traffic Diversion architecture for topological flexibility
![Page 8: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/8.jpg)
Cisco DDoS Anomaly Detection and Mitigation Solutions
The system uses Cisco Traffic Anomaly Detector and Cisco Guard DDoS Mitigation to:
• Detect and mitigate DDoS attacks• Distinguish between legitimate and attack traffic• Block attack traffic using source based dynamic
filters• Block large botnets and zombie attacks• Deliver multigigabit performance at line rate for
detection and mitigation
![Page 9: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/9.jpg)
Cisco Advert(continued)
![Page 10: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/10.jpg)
Cisco Advert(continued)
• Protects against broad range of DDoS attacks:– TCP/UDP based attacks– HTTP attacks– DNS attacks– SIP(VOIP) attacks– Botnets and Zombie attacks
![Page 11: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/11.jpg)
Cisco Traffic Anomaly Detector
• Monitors mirrored copy of traffic to detect anomalies
• Traffic Learning• Traffic Anomaly Detection
![Page 12: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/12.jpg)
Cisco Traffic Anomaly Detector(cont)
![Page 13: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/13.jpg)
Cisco Guard DDoS Mitigation
• Traffic Learning• Traffic Protection• Traffic Diversion
Uses Multi-Verification Process(MVP) architecture in a non-inline process.
![Page 14: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/14.jpg)
Cisco Guard DDoS Mitigation
![Page 15: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/15.jpg)
Example
• 1. Anomaly Detected
![Page 16: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/16.jpg)
Example(cont)
• 2. Anomaly Detector alerts Cisco Guard
![Page 17: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/17.jpg)
Example(cont)
• 3. Redirects victim traffic to Guard
![Page 18: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/18.jpg)
Example(cont)
• 4. Diverted Traffic is scrubbed
![Page 19: Anomaly Detection and Mitigation](https://reader035.vdocuments.net/reader035/viewer/2022062222/56816768550346895ddc4f70/html5/thumbnails/19.jpg)
Resources
• http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5888/product_data_sheet0900aecd800fa55e.html
• http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6236/product_data_sheet0900aecd80220a6e_ps708_Products_Data_Sheet.html
• http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5879/ps6264/ps5887/product_data_sheet0900aecd800fa552.html
• Bhaiji, Yusuf. Network Security Technologies and Solutions. Cisco Press. 2008.