Using Baseline Detection for Anomaly Detection in HP ArcSight ESM

Summary:

This document outlines the method of baselining, which is used to identify anomalies by establishing a reference point or baseline for certain behaviors or events. In network and security contexts, this involves recording statistical data on normal traffic patterns from devices such as firewalls and routers. By comparing deviations from this established norm, potential anomalies can be identified. Baselining applies not only to network security data but also user-related data like login activities. For example, in fraud analysis, transactional data is used to build a baseline that detects suspicious behaviors or transactions by deviating from the normal parameters. The baseline can be maintained automatically or manually using statistical methods such as moving averages, standard deviation, and variance. These techniques help identify unusual traffic volumes, high amounts of connections, data volume, and user behavior that may indicate malicious activity like beaconing for malware or fraudulent activities. The response to detected anomalies includes immediate alerts or adding users/devices to watchlists based on the severity of deviation. This dynamic approach sets thresholds for unusual behaviors and triggers automated responses when these thresholds are exceeded. The document also mentions various tools used in data monitoring and analysis, including Query Viewers, Trends with Active Lists, and Pattern Discovery (Threat Detector). These tools help create baselines for comparison and statistical evaluation of behavior or events from devices managed by DM (Data Monitor), providing interfaces for visualizing data and saving snapshots as baselines. They are capable of detecting patterns from large event sets to identify anomalies or potential threats that might not be immediately apparent.

Details:

Baselining is a method used in detecting anomalies by establishing a reference point or baseline for certain behaviors or event flows. In the network and security context, baselining involves recording statistical data on normal traffic patterns from various devices like firewalls and routers. This allows for deviations from this established norm to be identified as potential anomalies. In information security, baselining can apply to both network security data and user-related data such as login activities. For instance, in fraud analysis, transactional data is used to build a baseline which can then detect suspicious behaviors or transactions by deviating from the established normal parameters. Baselines can be maintained automatically or manually, using various tools and techniques including statistical analysis like moving averages, standard deviation, and variance. These methods help in identifying unusual traffic volumes, high amounts of connections, data volume, and user behavior that may indicate malicious activity such as beaconing for malicious code or fraudulent activities. The response to detected anomalies can vary from immediate alerts to adding users or devices to watchlists based on the severity of deviation. The goal is to build a dynamic approach where thresholds for unusual behaviors are set according to pre-defined criteria, and automated responses are triggered when these thresholds are exceeded. This method helps in managing risks associated with potential threats like malware propagation and fraudulent activities. This text discusses various tools and methods used in data monitoring and analysis, including Query Viewers, Trends with Active Lists, and Pattern Discovery (Threat Detector). These tools help in creating baselines for comparison of behavior or events produced by devices managed by DM (Data Monitor), allowing for statistical evaluation such as percentage change or absolute change. The text also explains how these tools can be integrated into systems like Dashboards, providing easy-to-use interfaces for visualizing data and saving snapshots as baselines manually or automatically. Additionally, it highlights the capabilities of each tool in detecting patterns from large event sets, useful for identifying anomalies or potential threats that might not be immediately apparent.