Filter
Top Products
9-4
Cisco Intrusion Prevention System CLI Sensor Configuration Guide for IPS 7.1
OL-19892-01
Chapter 9 Configuring Anomaly Detection
Anomaly Detection Zones
Anomaly detection has the following modes:
• Learning accept mode—Anomaly detection conducts an initial learning accept mode for the default
period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly
detection creates an initial baseline, known as a knowledge base (KB), of the network traffic. The
default interval value for periodic schedule is 24 hours and the default action is rotate, meaning that
a new KB is saved and loaded, and then replaces the initial KB after 24 hours.
Note Anomaly detection does not detect attacks when working with the initial KB, which is
empty. After the default of 24 hours, a KB is saved and loaded and now anomaly detection
also detects attacks.
Note Depending on your network complexity, you may want to have anomaly detection in
learning accept mode for longer than the default 24 hours.
• Detect mode—For ongoing operation, the sensor should remain in detect mode. This is for 24 hours
a day, 7 days a week. Once a KB is created and replaces the initial KB, anomaly detection detects
attacks based on it. It looks at the network traffic flows that violate thresholds in the KB and sends
alerts. As anomaly detection looks for anomalies, it also records gradual changes to the KB that do
not violate the thresholds and thus creates a new KB. The new KB is periodically saved and takes
the place of the old one thus maintaining an up-to-date KB.
• Inactive mode—You can turn anomaly detection off by putting it in inactive mode. Under certain
circumstances, anomaly detection should be in inactive mode, for example, if the sensor is running
in an asymmetric environment. Because anomaly detection assumes it gets traffic from both
directions, if the sensor is configured to see only one direction of traffic, anomaly detection
identifies all traffic as having incomplete connections, that is, as scanners, and sends alerts for all
traffic flows. Having anomaly detection running also lowers performance.
Example
The following example summarizes the default anomaly detection configuration. If you add a virtual
sensor at 11:00 pm and do not change the default anomaly detection configuration, anomaly detection
begins working with the initial KB and only performs learning. Although it is in detect mode, it cannot
detect attacks until it has gathered information for 24 hours and replaced the initial KB. At the first start
time (10:00 am by default), and the first interval (24 hours by default), the learning results are saved to
a new KB and this KB is loaded and replaces the initial KB. Because the anomaly detection is in detect
mode by default, now that anomaly detection has a new KB, the anomaly detection begins to detect
attacks.
For More Information
• For the procedures for putting anomaly detection in different modes, see Adding, Editing, and
Deleting Virtual Sensors, page 6-5.
• For more information about how worms operate, see Understanding Worms, page 9-2.
Anomaly Detection Zones
By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of
destination IP addresses. There are three zones, internal, illegal, and external, each with its own
thresholds.