User manual
9-3
Cisco Intrusion Prevention System Sensor CLI Configuration Guide for IPS 7.2
OL-29168-01
Chapter 9 Configuring Anomaly Detection
Anomaly Detection Modes
Anomaly detection identifies worm-infected hosts by their behavior as scanners. To spread, a worm must
find new hosts. It finds them by scanning the Internet or network using TCP, UDP, and other protocols
to generate unsuccessful attempts to access different destination IP addresses. A scanner is defined as a
source IP address that generates events on the same destination port (in TCP and UDP) for too many
destination IP addresses.
The events that are important for TCP protocol are nonestablished connections, such as a SYN packet
that does not have its SYN-ACK response for a given amount of time. A worm-infected host that scans
using TCP protocol generates nonestablished connections on the same destination port for an anomalous
number of IP addresses.
The events that are important for UDP protocol are unidirectional connections, such as a UDP
connection where all packets are going only in one direction. A worm-infected host that scans using UDP
protocol generates UDP packets but does not receive UDP packets on the same quad within a timeout
period on the same destination port for multiple destination IP addresses.
The events that are important for other protocols, such as ICMP, are from a source IP address to many
different destination IP addresses, that is, packets that are received in only one direction.
Caution
If a worm has a list of IP addresses it should infect and does not have to use scanning to spread itself (for
example, it uses passive mapping—listening to the network as opposed to active scanning), it is not
detected by the anomaly detection worm policies. Worms that receive a mailing list from probing files
within the infected host and email this list are also not detected, because no Layer 3/Layer 4 anomaly is
generated.
For More Information
For the procedure for turning off anomaly detection, see Disabling Anomaly Detection, page 9-48.
Anomaly Detection Modes
If you have anomaly detection enabled, it initially conducts a “peacetime” learning process when the
most normal state of the network is reflected. Anomaly detection then derives a set of policy thresholds
that best fit the normal network.
Anomaly detection has the following modes:
•
Learning accept mode—Anomaly detection conducts an initial learning accept mode for the default
period of 24 hours. We assume that during this phase no attack is being carried out. Anomaly
detection creates an initial baseline, known as a knowledge base (KB), of the network traffic. The
default interval value for periodic schedule is 24 hours and the default action is rotate, meaning that
a new KB is saved and loaded, and then replaces the initial KB after 24 hours.
Note
Anomaly detection does not detect attacks when working with the initial KB, which is
empty. After the default of 24 hours, a KB is saved and loaded and now anomaly detection
also detects attacks.
Note
Depending on your network complexity, you may want to have anomaly detection in
learning accept mode for longer than the default 24 hours.