User's Guide
Table Of Contents
- Table of Contents
- Preface
- Introduction
- Extreme AirDefense New User Experience
- Dashboard
- View Dashboard
- Create a Dashboard
- Manage Your Dashboard
- Delete the Dashboard
- Dashboard Widgets
- WIPS Widgets
- Widget - Top Criticalities
- Widget - Top Security Alarms
- Widget - Top Wireless Exploits
- Widget - Top Wireless Extrusions
- Widget - Top Vulnerabilities
- Widget - Severity by Device
- Widget - Severity by Tree Level
- Widget - Rogue Access Points
- Widget - Recent Rogue Events
- Widget - Anomalies
- Widget - Top BT Security Alarms
- Widget - BT Security Threat By Category
- Widget - BT Security Threat by Tree Level
- STATs Widgets
- COMPLIANCE Widgets
- WIPS Widgets
- Network View
- Alarm View
- Configuration
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Structure Configuration
- Auto-Placement Rules
- Discovery Profile and Polling Configuration
- Communication Profile
- Security Profile
- Alarm Action Manager
- Device Action Manager
- Sensor Manager
- Alarm Configuration
- Wired Network Monitoring
- Performance Profile
- Environment Monitoring
- Client Types
- Appliance Settings
- Device Age Out
- Configuration Backup
- Forensic and Log Backup
- Configuration Restore
- Download Logs
- Redundant Appliance Synchronization
- Configuration Clear
- Language Settings
- License Management
- User Management
- Relay Server
- System Settings
- Appliance Management
- System Overview
- AirDefense in Standalone Mode
- System Components
- System Requirements
- Version Compatibility for Upgrade
- Connecting to Hardware Appliance
- Configuring the Appliance
- System Configuration
- Selecting and Deploying APs and Sensors
- Connecting to the Network
- Assigning User Interfaces
- Basic Navigation
- Alarm Time Reporting
- Extreme AirDefense on Virtual Platform
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Legacy Content
- Menu
- AirDefense Dashboard
- Network Tab
- Capabilities with a Central Management License
- Select-Network View
- Network Devices
- Association Tree
- Network Graph
- Network Filters
- Actions Menu
- Actions Descriptions
- Advanced Search
- Alarms
- Configuration Tab
- Search
- Appliance Platform
- Security & Compliance
- Network Assurance
- Infrastructure Management
- Operational Management
- Alarm Action Manager
- Alarm Configuration
- Client Types
- Device Action Manager
- Device Age Out
- Job Status
- Location Based Services
- Location Subscriber Profiles
- Pending State - Audit
- Sensor Only Settings
- Sensor Operation
- Appliance Management
- Appliance Settings
- Backup / Restore Status
- Certificate / Key Validation
- Certificate Manager
- Configuration Backup
- Configuration Clear
- Configuration Restore
- Download Logs
- Language
- Login / SSH Banners
- Redundant Appliance Sync
- Account Management
- Drop-down Menu Access
- DevicesDrop-down Menu
- Device Functions Requiring More Explanation
- Network Level Drop-down Menus
- Global Tools
- Floor Plan Actions
- Floor Manipulation Tools
- Unplaced Devices Level Drop-down Menu
- Security
- WLAN Management
- Central Management Console
- ADSPAdmin
- Accessing the ADSPadmin Console
- Manage System
- Manage the Database
- Software
- Configure AirDefense
- Configure IDS
- IP Address Configuration
- IPv6
- NETPORT
- DNS Configuration
- Bonding Configuration
- hname Configuration
- dname Configuration
- Time Configuration
- Time Zone Configuration
- NTP Configuration
- PING Config
- SNMP Agent Configuration
- SNMP Community String Configuration
- SNMP Trap Configuration
- HTTP Configuration
- PANIC Configuration
- UIPORT Configuration
- Troubleshooting
- AirDefense Icons
- Glossary
Anomalous Behavior Alarms (ABA) feature is only available for AirDefense Enterprise servers and does
not require any specific license. This feature is enabled when you enable Performance Profile. ABA is
calculated for sanctioned clients and BSS only. All other data is ignored.
The AirDefense server flags trac behavior that deviates significantly from observed normal behavior.
The server learns specific attributes of trac monitored over a configurable period of time. It uses this
information to flag any trac that deviates significantly from its learned trac behavior.
AirDefense ABA works in two phases.
• Background Learning Phase
• Live Data Threshold Comparison Phase
These phases are common to all alarms based on the anomaly detection paradigm. Each alarm type
could have dierent learning parameters and custom threshold computation methods.
In the Background Learning Phase, the AirDefense server monitors the forensic data in the data
store for a configured duration of time. It then computes a baseline behavior against which an event will
be tested. The learning phase training window is sliding to enable including the live data being added to
the forensic store. ABA learning happens at regular intervals during the day to compute thresholds for
all anomalous alarms. The default learning interval for each alarm is 14 days. Thresholds are computed
and stored in 5 minute windows. These learning interval configuration values cannot be modified. These
thresholds are computed on the scope where performance profile is enabled. The scopes can be at
Site Level, Floor Level, or System Level.
In the Live Data Threshold Comparison Phase, live data from the sensors is compared with
the computed thresholds for the enabled scope. If the live data is above the computed threshold, its
corresponding alarm is triggered. For example, if, in the live data, the total AP Management Frames
in a location in a 5 minute interval exceeds the computed threshold value of the total AP Management
Frames in the same 5 minute interval over the last 14 days, then the AP Management Frame
Anomalous Behavior Frames alarm is raised.
ABA computation starts at 00:00 hour. The computed threshold values are not persistent across server
reboots and restarts. In case a server is restarted or rebooted, threshold computation will commence at
00:00 hours. You will not have computed threshold value from the time the server was rebooted or
restarted till the nearest 00:00 hour.
The following Anomalous Behavior Alarms are supported
• MU Management Frame Anomalous Behavior Frames
• MU Data Frame Anomalous Behavior Frames
• MU Control Frame Anomalous Behavior Frames
• AP Management Frame Anomalous Behavior Frames
• AP Data Frame Anomalous Behavior Frames
• AP Control Frame Anomalous Behavior Frames
• MU Management Frame Anomalous Behavior Bytes
• MU Data Frame Anomalous Behavior Bytes
• MU Control Frame Anomalous Behavior Bytes
• AP Management Frame Anomalous Behavior Bytes
Configuration
Tab Anomaly Baseline View
Extreme AirDefense User Guide for version 10.5. 561