Anomaly Detection

Based on usual activity we can find out anomalies...

Something that does not belong

There is suspicion about something

  • Attempt to mirror legitimacy

  • Unexpected randomness or patterns

  • Unexpected frequency of occurrences

  • Normal things in an abnormal context

Types

Mirroring Legitimacy

Attempting to hide by mimicking characteristics of legitimate entity.

Examples:

  • process

  • file name

  • e-mail

  • domain

  • username

Frequency of occurrences

Events that occur fewer or greater than the average/expected number of times. Requires knowledge of standard behavior/sequence and thresholds.

Examples:

  • Authentication

  • Process Execution

Generic non-descriptives

Attempt to hide by prsenting broad or generic information. Many legitimate entities use generic names.

Examples:

  • process

  • file name

  • e-mail

  • domain

Missing information

Evidence that is missing expected data or context.

Examples:

  • process id

  • malicious documents

  • missing logs (all), kind of red flag

Content Formatting

Anomalies in the way data is converted or represented that manifest in evidence. May often manifest in translation from other languages and character sets.

Examples:

  • typosquatting - domain name, looks like e but it is not e in latin - its cyrilic (different ASCII character)

Unexpected obfiscation and encryption

The unexpected use or absence of obfiscation or encryption. This anomaly type centers or actual vs. expected entropy.

Examples:

  • e-mails

  • scripts

  • HTTP

  • protocol Payloads

Unexpected 1:M relationship

Events from one source to many destinations, or vice versa, when that it is not expected in the given context.

Examples:

  • Authentication (enumeration)

  • Network connections

Improper Timing

Events occuring outside of a normal or expected date/time. Do not forget on time-zones, working hours, people on business trips,...

Examples:

  • authentication

  • logs

  • web browsing

  • downloads

  • process execution

Unexpected Entity Relationships

Interaction between two entities that are anomalous based on the properties and expected behavior of the entity.

Examples:

  • User to host authentication

  • User to host network communication

  • Uset to process ownership

In general

Baseline deviations

A behaviour occurs the same way for a long time and then changes

Normal things in abnormal context

The usage of legitimate application in a way that is not typical for it

General Unknowns

Things you do not understand amongst things you do understand

PreviousUnderstanding dataNextWindows Guidelines

Last updated