Amritam Putatunda
Technical Product Manager

How network security is evolving—Behavior is the new signature

October 4, 2019 by Amritam Putatunda

It is said that “Habits make the man.” True to this popular adage, the cybersecurity industry is entering a phase where it moves from detecting an identifiable bad apple with all its visible spots to detecting habits or behaviors that indicate anomalies or deviations from the “normal.”

What is signature detection? Using static analysis to find exploits—but it’s not enough.

Signatures are like pre-known patterns that the security devices look for to flag an attempt to send an exploit or malware. For example, to try to detect the infamous cve-2014-6271 “shellshock” exploit, an intrusion prevention system (IPS) has a rule that looks for signature "%3D%28%29+%7B" to check if a browser is trying to send encoded “(){“ in an HTTP header. Similarly, most known malwares have a hash that can be used to identify a pre-known malicious file or other similar chunks of malicious code or files.

Nothing is wrong with using signature techniques and other static analysis. However, hundreds of breach reports have proven that signatures have some severe limitations and motivated attackers can easily bypass security systems heavily reliant on signature-based detections and static analysis.

What is behavior detection? Learn the good well enough to separate it from the bad.

Complementing signature-based detection, behavior-based detection doesn’t necessarily look for a particular signature or hash of files (although as part of the detection, it may do some popular signature verification, threat feed matches, etc.). Behavior-based systems search the data flood for patterns of behavior that either looks unusual for that environment or matches a known pattern of malicious behavior. 

There are hundreds of examples of some known bad behaviors, but here are a few common ones to look out for:

  • A user is browsing internet traffic, however its HTTP header doesn’t look to be generated by a common browser
  • A user is trying to initiate telnet, power shell, or other such communication protocol with several other internal users within a network
  • A user is uploading or downloading a large amount of files/HTML content to or from domains and countries where the organization doesn’t have much business
  • A host machine is using credentials that are not associated with that machine and/or trying to access some service(s) that it has never accessed to date from that machine
  • A host is running unusual applications that are considered abnormal for that organization, such as a host using several Linux apps in a windows-only environment

What’s the issue? Bad education will produce bad outputs. 

As shown in the above examples, in many cases the behavioral detections look for things that are unusual for a particular environment. But things that are unusual for one organization might be usual behavior for a different organization. This means that a cookie-cutter solution, like the one used for signatures, will not work for behavior-based detection. In other words, this type of defense needs to understand very well what constitutes a “good behavior” for a particular organization before it can classify the bad behaviors. If it doesn’t, then it’s marred with false-positives or false-negatives that considerably reduces the efficacy of the system.

So, learning the good behaviors should solve it right? Easier said than done…but that’s where Ixia’s tools can help.

Teaching a behavior detection platform what are considered good behaviors is a time-consuming and considerable task. The training exercise can itself take months and sometimes the training data may have undetected anomalies that corrupt the learning. However, this doesn’t mean that it can’t be done, we just need to find creative ways to better teach behavioral tools. 

As a test and visibility company, Ixia provides tools like BreakingPoint, Vision ONE, and TrafficREWIND to help organizations capture, import, and better reproduce their particular network data profiles to validate security devices and overall network protection against cyber threats. As we get a deeper understanding of behavioral detection systems, it has become clear that we can play a catalyst role in helping to reduce the learning curves of these tools and at the same time help to reduce false positives and negatives. 

Our visibility and test tools capture the digital behavior of your organization. Filtering out anomalies and noise, BreakingPoint can then use the remain data to generate realistic simulations to teach your behavioral tools specifics of the organization’s expected traffic behavior—teaching that takes months, you can now achieve in hours. Using a controlled, realistic environment that accurately emulates your traffic significantly improves the efficacy of a behavior-based tool in stopping sophisticated next-generation cyber-attacks. 

improve machine learning