Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0)
Activating Anomaly Detection
Download this chapter
Activating Anomaly DetectionActivating Anomaly Detection
Download the complete book
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL-Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide (Software Version 5.0), Book-Length PDFOL- (PDF - 3 MB)
give_us_feedback

Table Of Contents

Activating Anomaly Detection

Anomaly Detection Options

Detect, Detect and Learn

Automatic and Interactive Operation Modes

Managing Anomaly Detection

Activating Anomaly Detection

Verifying Traffic Anomaly Detection

Deactivating Anomaly Detection

Managing Dynamic Filters

Viewing the Dynamic Filters List

Viewing Dynamic Filter Details

Deleting Dynamic Filters

Preventing the Creation of Unwanted Dynamic Filters

Managing Detector Module Recommendations for Dynamic Filters

Viewing Detector Module Recommendations

Viewing and Acting on Detector Module Recommendations

Viewing the Pending Dynamic Filters of a Recommendation

Viewing Pending Dynamic Filter Details

Accepting a Pending Dynamic Filter

Changing Zone Operation Modes

Changing the Zone Operation Mode to Automatic

Changing the Zone Operation Mode to Interactive

Taking Action When the Number of Pending Dynamic Filters Exceeds 1000


Activating Anomaly Detection

When you activate anomaly detection for a zone, the Detector module applies the zone policies to the copy of the zone traffic it receives. When a traffic anomaly triggers a policy action by exceeding the policy threshold (indicating an attack), the Detector module either sends you a notification or activates a Cisco Anomaly Guard Module. This chapter describes how activate and manage zone anomaly detection using the WBM.

This chapter includes the following sections:

Anomaly Detection Options

Managing Anomaly Detection

Managing Dynamic Filters

Managing Detector Module Recommendations for Dynamic Filters

Changing Zone Operation Modes

Anomaly Detection Options

The Detector module provides you with several options for performing anomaly detection. For example, you can let the Detector module manage all aspects of the anomaly detection operation or you can monitor and direct the Detector module during an attack.

This section contains the following anomaly detection information:

Detect, Detect and Learn

Automatic and Interactive Operation Modes

Detect, Detect and Learn

When you manually activate zone anomaly detection using the WBM, the Detector module provides you with the following options:

Detect—The Detector module analyzes the zone traffic and begins producing Dynamic filters when it detects a traffic anomaly.

Detect and Learn—The Detector module analyzes zone traffic for traffic anomalies and at the same time begins the threshold tuning phase of the learning process. While analyzing the traffic for the threshold tuning phase, the Detector module automatically adjusts the policy thresholds of the zone configuration with new threshold information. If the Detector module detects an attack while analyzing the traffic, it suspends the threshold tuning phase. When the attack on the zone ends, the Detector module resumes the threshold tuning phase along with anomaly detection.

Automatic and Interactive Operation Modes

During an attack, the Detector module operates in one of two operation modes and either automatically activates the Dynamic filters it creates or waits for you to decide whether or not to activate the Dynamic filters. When you define the zone configuration, you configure the operation mode the Detector module operates in by selecting one of the following settings:

Automatic operation mode—The Detector module automatically activates the Dynamic filters it creates without any user intervention.

Interactive operation mode—You choose to activate or ignore the Dynamic filters that the Detector module creates. Using the interactive operation mode, the Detector module enables you to decide on anomaly detection measures as it continues to analyze the attack and queue suggested Dynamic filters.

You can change the operation mode setting of a zone configuration at any time.

Managing Anomaly Detection

The procedures in this section describe how to manually activate and deactivate zone traffic anomaly detection.

Activating Anomaly Detection

To activate anomaly detection:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to activate anomaly detection:

From the zone status screen, click Detect & Learn or Detect.

From the zone main menu, choose Detection > Detect.

The following actions occur:

The Detector module begins analyzing the traffic flow for traffic anomalies.

The zone name is added to the Under Detection zone listing in the navigation pane.

The zone status icon changes from Standby to Detection .

The Recent Events table lists an event type of detection-start with a detail listing of Zone is under detection.

Verifying Traffic Anomaly Detection

From the zone status screen, you can view the traffic counter to verify that the anomaly detection process is functioning properly.

Click a zone under detection from the navigation pane to display the zone status screen. Anomaly detection is functioning if the following conditions exist:

The Recent Events table lists an event type of detection-start with a detail listing of Zone is under detection.

The Traffic Rate table shows the Received traffic rate is greater than zero.

Deactivating Anomaly Detection

To deactivate anomaly detection:

Step 1 Click a zone under detection from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to deactivate anomaly detection:

From the zone status screen, click Deactivate.

From the zone main menu, choose Detection > Deactivate.

The following actions occur:

The Detector module stops analyzing zone traffic.

The zone name is removed from the Protected Zones listing in the navigation pane.

The zone status icon changes from Detection to Standby.

The Recent Events table lists an event type of detection-stop with a detail listing of Zone is not under detection.

Managing Dynamic Filters

The Detector module only creates Dynamic filters after you activate anomaly detection for a zone and the Detector module detects an attack. Thus, you can only view and manage Dynamic filters when an attack is taking place on the zone.

Viewing the Dynamic Filters List

To view the list of Dynamic filters:

Step 1 Select a zone under detection from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to view the list of Dynamic filters:

From the zone main menu, choose Detection > Dynamic filters.

From the zone status table on the zone status page, click Active dynamic filters.

The Dynamic filters screen appears.

The Dynamic filters table displays the Dynamic filters filtered according to the policy that created them and displays information about the ongoing attack. Table 9-1 describes the information found in the the Dynamic filters table.

Table 9-1 Field Descriptions for Dynamic Filters 

Field
Description

Created by

Policy that created the Dynamic filter. Click on the policy name to display the policy details.

Activation

Date and time the Dynamic filter was activated.

Expiration

Time the is due to expire. After this time, the Dynamic filter is erased.

Src IP

Source IP address on which the Dynamic filter is applied.

Protocol

Protocol number on which the Dynamic filter is applied.

Dst Port

Destination port on which the Dynamic filter is applied.

Fragments

Indicates whether the attack stream contains fragmented packets.

Action

Action taken by the Dynamic filter.

Rate (pps)

Approximate attack rate.

Details

Indicates whether there is additional information available for this filter. Click i to view additional information.


A value of * for any of the parameters indicates one of the following:

The value is undetermined.

More than one value was measured for the filter parameter.

See the "Viewing Dynamic Filter Details" section for information on viewing the details of a specific Dynamic filter.

Viewing Dynamic Filter Details

To display detailed information for a specific Dynamic filter:

Step 1 Select a zone under detection from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to view the list of Dynamic filters:

From the zone main menu, choose Detection > Dynamic filters.

From the zone status table on the zone status page, click Active dynamic filters.

The Dynamic filters screen appears.

Step 3 Click i in the Details column of the desired Dynamic filter. The Dynamic filter details screen appears.

The Dynamic filter details screen includes three tables that describe the following information:

The policy that created the Dynamic filter.

Information on the attack flow.

Information on the trigger that created the Dynamic filter. Table 9-2 describes the trigger parameters.

Table 9-2 Field Descriptions for Triggers 

Field
Description

Policy Threshold

Threshold defined for the policy that was exceeded by the attack.

Triggering rate

Approximate attack rate that triggered the production of the Dynamic filter.


Deleting Dynamic Filters

You can remove all Dynamic filters; however, this is effective for a limited period of time as the Detector module continues to configure new Dynamic filters during an attack to adapt to the dynamically changing traffic state.

To delete a Dynamic filter:

Step 1 Select a zone under detection from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to view the list of Dynamic filters:

From the zone main menu, choose Detection > Dynamic filters.

From the zone status table on the zone status page, click Active dynamic filters.

The Dynamic filters screen appears.

Step 3 Click the check box next to the desired Dynamic filter to delete.

Step 4 Click Delete. The Detector module removes the Dynamic filter.

Preventing the Creation of Unwanted Dynamic Filters

To prevent the Detector module from producing unwanted Dynamic filters, you can:

Deactivate the policy that produces them. See the "Modifying a Single Policy" section in "Managing Zone Policies" for details on changing the policy operating state. To view the list of Dynamic filters and find out which policy produced the unwanted Dynamic filters, see the "Viewing the Dynamic Filters List" section.

Configure a Bypass filter for the desired traffic flow. See the "Managing Bypass Filters" section in "Configuring Zone Filters" for details on configuring a Bypass filter.

Increase the threshold of the policy that produced the undesired Dynamic filter. See the "Modifying a Single Policy" section in "Managing Zone Policies" for details on modifying the policy threshold.

Managing Detector Module Recommendations for Dynamic Filters

When you perform anomaly detection in interactive protect mode, the Detector module creates a queue of the Dynamic filters it creates during an attack. The queued Dynamic filters are known as pending Dynamic filters. The Detector module groups the pending Dynamic filters according to the policies that produced them and presents them to you as Detector module recommendations. You can choose to act on a Detector module recommendation (including all of the pending Dynamic filters associated with it) or you can act on each pending Dynamic filter separately.

This section contains the following procedures:

Viewing Detector Module Recommendations

Viewing and Acting on Detector Module Recommendations

Viewing the Pending Dynamic Filters of a Recommendation

Viewing Pending Dynamic Filter Details

Accepting a Pending Dynamic Filter

Viewing Detector Module Recommendations

The Detector module displays the Detector module recommendations icon when new recommendations are available. This icon appears in the following locations:

The navigation pane, next to the zone icon in the All Zones list

The navigation pane, next to the zone icon in the Protected Zones list

The zone status page, in the zone status bar

The zone list table

When the Detector module has new recommendations, the number of pending Dynamic filters the zone status screen displays is greater than zero.

To view the list of Detector module recommendations:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to display the list of recommendations:

From the zone main menu, choose Detection > Recommendations.

From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.

The Recommendations screen appears.

Table 9-3 describes the fields in the Recommendations table.

Table 9-3 Field Descriptions for Recommendations Table 

Field
Description
ID

Identification number the Detector module assigned to the recommendation.

Recommendation

Action the Detector module recommends.

Created By

Policy that created the filter. Click on the policy name to view the policy details.

# of PFs

Number of pending Dynamic filters that constitute the recommendation. Each pending filter was created as a result of traffic flow that exceeded the policy threshold. Click on the number to view the pending Dynamic filters associated with the recommendation.

Attack flow

Attack flow information. The following information is provided:

Src IP—Source IP address of the attack stream

Protocol—Protocol number of the attack stream

Dst Port—Destination port of the attack stream

Dst IP—Destination IP address of the attack stream

Thr.

Policy threshold that the attack flow exceeded.

Min.

Minimum attack rate. The rate of the lowest pending Dynamic filter is displayed for recommendations that include several pending filters.

Max.

Maximum attack rate. The rate of the highest pending Dynamic filter is displayed for recommendations that include several pending filters.

Creation

Date and time the recommendation was created.


A value of * for any of the parameters indicates one of the following conditions:

The Detector module is unable to determine the value.

The Detector module measured more than one value for the filter parameter. To display the different values, view the complete list of pending Dynamic filters.

Viewing and Acting on Detector Module Recommendations

To view and act on the Detector module recommendations:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to display the list of recommendations:

From the zone main menu, choose Detection > Recommendations.

From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.

The Recommendations screen appears.

Step 3 In the Filters timeout box, enter the timeout value (in seconds) for the filter.

Step 4 Click the check box next to the desired recommendations.

Step 5 Select the required action:

accept—Accept the specific recommendation. The Detector module activates the pending Dynamic filters associated with the recommendation.

always-accept—Always accept the specific recommendation. During the current attack period, the Detector module automatically accepts the recommendations of the policy that produced the recommendation. The Detector module does not display always-accept recommendations.

always-ignore—Always ignore the specific recommendation. During the current attack period, the Detector module automatically ignores the recommendations of the policy that produced the recommendation. To prevent a policy from producing recommendations in future attacks, disable or deactivate the policy (see the "Modifying a Single Policy" section in "Managing Zone Policies").

You can change an always-ignore decision made on a specific recommendation by changing the interactive-status of the policy that created the pending Dynamic filters of the recommendation.

If necessary, you can selectively accept pending Dynamic filters instead of accepting all the Dynamic filters associated with a recommendation. See the "Accepting a Pending Dynamic Filter" section for further details.

Viewing the Pending Dynamic Filters of a Recommendation

To view the pending Dynamic filters associated with a Detector module recommendation:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to display the list of recommendations:

From the zone main menu, choose Detection > Recommendations.

From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.

The Recommendations screen appears.

Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending dynamic filters screen appears.

Table 9-4

Table 9-4 Field Descriptions for Pending Dynamic Filters 

Field
Description

Created by

Policy that created the filter. Click on the policy name to display the Policy details. See "Managing Zone Policies" for further details.

Activation

Date and time the filter was created.

Src IP

Source IP address of the attack stream.

Protocol

Protocol number of the attack stream.

Dst Port

Destination port of the attack stream.

Fragments

Indicates whether or not the attack stream contains fragmented packets.

Action

Action taken by the filter.

Recent rate

Current attack rate measured by the filter.

Rate (pps)

Triggering rate. The approximate attack rate that triggered the production of the dynamic filter.

Details

Indicates whether or not additional information is available for this filter. Click i for additional information.


describes the fields in the pending dynamic filters table.

A value of * for any of the parameters indicates one of the following conditions:

The value is undetermined.

More than one value was measured for the filter parameter.

The Detector module activates the Managing Dynamic Filters produced by the policies for at least a user-defined time span (filter timeout).

Viewing Pending Dynamic Filter Details

To display the detailed information of a Dynamic filter:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to display the list of recommendations:

From the zone main menu, choose Detection > Recommendations.

From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.

The Recommendations screen appears.

Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending dynamic filters screen appears.

Step 4 Click i in the details column of the desired pending Dynamic filter. The Filter details screen appears.

The pending dynamic filter details includes three tables that provide the following information:

Policy that created the filter.

Attack flow.

Trigger for the filter creation. This table displays the policy threshold that the attack traffic exceeded and the approximate attack rate that triggered the production of the filter.

Accepting a Pending Dynamic Filter

To selectively accept a pending Dynamic filter:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Use one of the following methods to display the list of recommendations:

From the zone main menu, choose Detection > Recommendations.

From the zone status table on the zone status screen, click Pending Dynamic filters in the zone status summary.

The Recommendations screen appears.

Step 3 Click the numeric value listed in the # of PFs (Pending Filters) column of the desired recommendation. The Pending dynamic filters screen appears.

Step 4 In the Filters timeout box, enter the Dynamic filter timeout value in seconds.

Step 5 Check the check box next to the desired pending Dynamic filter or filters to activate.

Step 6 Click Accept. The Detector module activates the selected pending Dynamic filters.

Changing Zone Operation Modes

The operation mode in which the Detector module operates when managing an attack on the zone determines how the Dynamic filters are activated during the attack. You can configure the Detector module to operate in either of the following modes:

Automatic operation mode—The Detector module activates all Dynamic filters as it creates them.

Interactive operation mode—You are required to act on the Dynamic filter recommendations that the Detector module produces during an attack. You can activate or ignore a Detector module recommendation.

You configure the zone operation mode as part of the zone configuration and can change the zone operation mode setting at any time, including when the Detector module is managing an attack on the zone.

This sections contains the following information:

Changing the Zone Operation Mode to Automatic

Changing the Zone Operation Mode to Interactive

Taking Action When the Number of Pending Dynamic Filters Exceeds 1000

Changing the Zone Operation Mode to Automatic

To change the operation mode setting of a zone from interactive to automatic:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Choose Configuration > General from the zone main menu. The General screen appears.

Step 3 Click Config. The Config screen displays.

Step 4 From the Operation Mode parameter drop-down list, select automatic.

Step 5 Click OK. The Detector module updates the zone configuration with the new operation mode setting. If zone operation is currently active, the Detector module automatically activates all pending and new Dynamic filters.

Changing the Zone Operation Mode to Interactive

To change the operation mode setting of a zone from automatic to interactive:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Choose Configuration > General from the zone main menu. The General screen appears.

Step 3 Click Config. The Config screen displays.

Step 4 From the Operation Mode parameter drop-down list, select interactive.

Step 5 Click OK. The Detector module updates the zone configuration with the new operation mode setting. If anomaly detection is currently active, the Detector module produces recommendations when an attack is detected.

Taking Action When the Number of Pending Dynamic Filters Exceeds 1000

When the number of pending Dynamic filters the zone status screen displays exceeds 1000, the Detector module begins to discard any new recommendations after recording the recommendation information to the log file.We recommend that you change the zone operation mode to automatic when the number of pending Dynamic filters exceeds 1000 filters. When operating in automatic operation mode, the Detector module activates all Dynamic filters as it creates them.

Note When the number of pending Dynamic filters exceeds 1000 filters, you must first deactivate anomaly detection before making the recommended change to the operation mode. This is the only time you are required to deactivate anomaly detection before changing the zone operation mode.

To change the zone operation mode to automatic when the number of pending Dynamic filters exceeds 1000 filters:

Step 1 Select a zone from the navigation pane. The zone main menu and the zone status screen appear.

Step 2 Click Deactivate. The Detector module stops anomaly detection and deletes all pending Dynamic filters.

Step 3 Choose Configuration > General from the zone main menu. The General screen appears.

Step 4 Click Config. The Config screen displays.

Step 5 From the Operation Mode parameter drop-down list, select automatic.

Step 6 Click OK. The zone configuration is updated with the new protect mode setting.

Step 7 Click Protect. The Detector module begins automatic zone operation and activates all Dynamic filters as it creates them.