University Effectively Using Anomaly Detection

Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
The 9,000 students at the University of New Brunswick (UNB) in Fredericton, New Brunswick, Canada, have a high degree of freedom for how they use their computers at the school. For instance, students are able to choose any operating system they want to run, and plug their PCs into the campus network.

The campus IT administration sees its role as enabling academic pursuits on the campus network, and not to tightly police how those machines are used. Still, when there is a problem, such as when unusual network traffic threatens to bring down the network, or a malicious code attack breaks out and begins to spread, the network administrators need to be able to respond quickly.

"When we face problems, it would be nice to just tell what is running across the communications lines," says Peter Jacobs, manager of communications and networks for the university.

About five years ago, UNB was running homegrown tools to monitor network traffic, but they saw the requirement as being more than they were willing to handle. Chris Newton, an IT specialist working at UNB at the time, started developing a new technology to meet the challenge.

The software was presented at a technology commercialization event at UNB in October 2000, and there it caught the attention of Brain Flood, an entrepreneur interested in commercializing the technology. In February 2001, Flood and his partners founded Q1 Labs, a privately funded corporation headquartered in Delaware, with offices in New Brunswick and Waltham, Mass.

The QRadar anomaly detection product from Q1 Labs is the result. UNB is a customer and early test site, and a close ally for research and product testing, continuing to feed ideas and suggestions for enhancements into Q1 Labs.

"The Internet used to be friendly," Jacobs says. "But now it's an untamed land that is dangerous to be hanging out in. The QRadar product is like a giant magnifying glass on the network, helping us to understand what is happening."

The monitoring lets the administrators know when they might need to increase bandwidth, and when something might need to be turned off, such as a worm launching an attack, or a student launching a scan of the university network for some reason.

"We would phone the student to talk about it," Jacobs says.

One time a science department was sending 30Mb streams of data at the rate of up to 3Gb per hour. It turned out they were doing a geographic database exchange with the University of Kansas, a very acceptable academic use.

Sometimes UNB helps other organizations understand the nature of new attacks. Recently, for example, the university detected a bot that was polling ports with a certain IP address range, behavior not seen before. It began working with SANS Institute to correlate reports and gather information. The administrators added some parameters to QRadar to search for this bot and when it sees it, clean it up.

The MyDoom attack was detected several weeks ago, and cleaned up off several affected servers within hours. "A quick response is important," Jacobs says.

Jacobs' favorite view is one showing categories of observed traffic such as: Mostly In, Mostly Out, Out Only, In Only. If a machine is sending 500 or 1,000 packets out and getting no response, it is either a badly written program or malicious code. And if similar traffic is coming in only, "something is going on that should not be," Jacobs says. It gets cleaned up.

No network engineer today would be without Sniffer on a local area network. In Jacobs' view, "The next thing is that no network engineer should be without QRadar for watching the wide area network."

Submit a Comment

Loading Comments...