Cognitive Security的异常检测技术

最近，Cisco重返网络安全的一个标志性收购就是买下了位于捷克的Cognitive Security公司。这家由捷克一所大学老师创立的startup公司有啥看家的本领呢？呵呵，原来就是DFI，或者说是基于流量的异常检测技术。

Cognitvie的目标很明确，就是检测APT，还有0-day***，以及其他多态恶意代码。

Cognitive用到了以下基于异常的检测算法，不是什么新的算法，但是他们做到了实用化。

Cognitive Analyst's products and services utilize a multi-stage detection algorithm to generate a Cognitive Trust Score (CTS), which is effectively a measure of ''Trustfulness' to the data which is being analyzed. Currently eight stages are used to increase the detection and accuracy of threats, and collectively generate an accurate CTS for an analyst to action and subsequently mitigate against an attack. A selection of these algorithms are summarized as follows:

• MINDS algorithm [Ertoz et al, 2004] 【一种基于源/目标分析的***检测算法】The Minnesota Intrusion Detection System (MINDS) processes data from a number of flows: 1. Data from a single source IP to multiple destinations, 2. flows from multiple sources to a single destination, or 3. a series of flows between a single source to a single destination.
• Xu et al. algorithm [Xu, Zhang et al, 2005] 【一种流量源分类算法】This algorithm serves to classify traffic sources. A normalized entropy is established (i.e. establishing meaningful analysis to the apparent randomness of a data set), determined by applying static classification rules to the established normalized states.
• Volume prediction algorithm [Lakhina et al, 2004] 【流量预测算法】uses the Principal Components Analysis (PCA) methodology, which is a mathematical procedure used to formulate predictive models. In order to build a model of traffic volumes from individual sources, values are determined based on the number of flows, bytes, and packets generated from each source. The PCA method then identifies the complex relationships between the traffic originating from distinct sources.
• Entropy prediction algorithm [Lakhina et al, 2005]【熵预测算法】 This algorithm is similar to the PCA-based traffic modeling discussed above, but uses different features than just volume prediction. Entropy prediction aggregates traffic from source IPs, but instead of processing traffic volumes, it predicts the entropy of source and destination ports, and destination IPs.
• TAPS algorithm [Sridharan et al, 2006]【一种流量逐层分析算法】 targets a specific class of attacks by classifying a subset of suspicious traffic sources and characterizing them by three features: 1. the number of destination IP addresses, 2. the number of ports in the set of flows from the source, and 3. the entropy of the flow size. The anomaly of the source is based on the ratios between these values.

其实，对于这类技术，我已经多次提到过了。我们也在这方面做出了很多努力和工作，并且也已经用到了我们的产品之中。

【参考】

基于异常的检测技术