Topic
  • 3 replies
  • Latest Post - ‏2016-03-29T09:41:16Z by JSWee
JSWee
JSWee
53 Posts

Pinned topic Understand behavior rule

‏2016-03-04T08:21:15Z | behavior rule

Hi team,

 

These (below) are the default conditions which i see when i click on "Behavioral rule" while creating rule. However, i see some terms which i don't really understand such as "current traffic level", "current traffic trend" and "current traffic behavior". Can someone help explain to me on these?

 and when this accumulated property is the tested property
 and when the importance of the current traffic level (on a scale of 0 to 100) is 70 compared to learned traffic trends and behavior
 and when the importance of the current traffic trend (on a scale of 0 to 100) is 30 compared to learned traffic levels and behavior
 and when the importance of the current traffic behavior (on a scale of 0 to 100) is 30 compared to learned traffic levels and trends
 and when the actual field value deviates by a margin of at least 50% of the extrapolated (predicted) field value
 and when the season length is a day

 

Looking at the guide (below) with a given example on behavior rule, i could not really relate the example back to the conditions above:

 

Need help from the experts here to help me to understand on how Behavior rule works, as we are currently looking at one use case to track suspicious user activity on database based on SELECT query.

 

Appreciate any inputs here! Thanks!

  • JonathanPechtaIBM
    JonathanPechtaIBM
    238 Posts

    Re: Understand behavior rule

    ‏2016-03-09T11:46:40Z  

    The purpose of setting up a behavior rule is to setup a search that learns the rate or volume of a property over a pre-defined 'season'. You can think of a season as the baseline comparison timeline for what you are evaluating. When you set a season of 1 week, the behavior for the property over that 1 week is learned and you can then use rule tests to alert you to the changes. Behavioral rules a good for detecting changes in traffic or properties that are always present. Not all data is good for a behavior rule as mentioned because the data in the season should be continuous. An example of data that is not good for a behavioral rule is data that is present, then disappears, then comes back again (think of a graph of spikes that have gaps between them). However, a great example of patterns that can be used for behavioral rules are things like mail traffic, firewall traffic, bytes transferred by common protocols such as 443 traffic or applications being used commonly within your network. The goal is to define a pattern, traffic type, or data type that can be tracked to generate an overall trend / historical analysis. Then you assign rule tests against that pattern to alert you to special conditions. For example, if I put in "and when the importance of the current traffic level (on a scale of 0 to 100) is 70 compared to learned traffic trends and behavior", then I want the system to alert me when the traffic set in my season time frame is +70 or -70 of the learned behavior. 

     

     

    Here are some definitions for the rule tests:

     

    • Season: This is your most important value. The season defines the baseline behavior of the property that you are testing, which then the other rule tests leverage. To define a season, you need to take in to account the type of traffic you are monitoring. For example, network traffic or processes that include human interaction, then 1 week is a good season time frame, however, tracking automated services where patterns are consistent, you might be able to create a season as short a 1 day to define that pattern of behavior.
    • Current traffic level: Weight of the original data with seasonal changes and random error accounted for. This rule test asks the question, "Is the data the same as yesterday at the same time?"
    • Current traffic trend: Weight of changes in the data for each time interval. This rule test asks the question, "How much is the data changing when comparing this minute to the minute before?"
    • Current traffic behavior: Weight of the seasonal effect for each period. This rule test asks the question, "Did the data increase the same amount from week 2 to week 3 as it did from week 1 to week 2?"
    • Predicted value: A predicted values can then be used to scale baselines to make the alerting more or less sensitive.

     

    What is really nice about behavioral rules, is that when you set them up, the seasons adjust themselves. As the data in the season learns and is continually evaluated so business growth is profiled within the season and you do not have to make changes to your rules. Also, the longer that a behavioral rule runs, the more accurate it will be over time and you can then tighten the rule responses to capture more subtle changes, if required.

     

    Behavioral rules are good for detecting changes in consistent traffic or any data with repetitive patterns:

     

    • Large scale changes (services going offline, or new service traffic, slow HTTP or Get/Post attacks)
    • Catching early signs of D/DOS, worms, or malware traffic
    • Changes is traffic or connection behavior for important assets or VPN for connection monitoring for employee travel
    • Baseline changes for slow periods (upticks in late night mail traffic that could be suspicious, SYN traffic increases)
    • Failed backups, web server issues, application problems, etc.

     

    Read through this and let me know if you have further questions.

     

     

  • JSWee
    JSWee
    53 Posts

    Re: Understand behavior rule

    ‏2016-03-10T08:23:37Z  

    The purpose of setting up a behavior rule is to setup a search that learns the rate or volume of a property over a pre-defined 'season'. You can think of a season as the baseline comparison timeline for what you are evaluating. When you set a season of 1 week, the behavior for the property over that 1 week is learned and you can then use rule tests to alert you to the changes. Behavioral rules a good for detecting changes in traffic or properties that are always present. Not all data is good for a behavior rule as mentioned because the data in the season should be continuous. An example of data that is not good for a behavioral rule is data that is present, then disappears, then comes back again (think of a graph of spikes that have gaps between them). However, a great example of patterns that can be used for behavioral rules are things like mail traffic, firewall traffic, bytes transferred by common protocols such as 443 traffic or applications being used commonly within your network. The goal is to define a pattern, traffic type, or data type that can be tracked to generate an overall trend / historical analysis. Then you assign rule tests against that pattern to alert you to special conditions. For example, if I put in "and when the importance of the current traffic level (on a scale of 0 to 100) is 70 compared to learned traffic trends and behavior", then I want the system to alert me when the traffic set in my season time frame is +70 or -70 of the learned behavior. 

     

     

    Here are some definitions for the rule tests:

     

    • Season: This is your most important value. The season defines the baseline behavior of the property that you are testing, which then the other rule tests leverage. To define a season, you need to take in to account the type of traffic you are monitoring. For example, network traffic or processes that include human interaction, then 1 week is a good season time frame, however, tracking automated services where patterns are consistent, you might be able to create a season as short a 1 day to define that pattern of behavior.
    • Current traffic level: Weight of the original data with seasonal changes and random error accounted for. This rule test asks the question, "Is the data the same as yesterday at the same time?"
    • Current traffic trend: Weight of changes in the data for each time interval. This rule test asks the question, "How much is the data changing when comparing this minute to the minute before?"
    • Current traffic behavior: Weight of the seasonal effect for each period. This rule test asks the question, "Did the data increase the same amount from week 2 to week 3 as it did from week 1 to week 2?"
    • Predicted value: A predicted values can then be used to scale baselines to make the alerting more or less sensitive.

     

    What is really nice about behavioral rules, is that when you set them up, the seasons adjust themselves. As the data in the season learns and is continually evaluated so business growth is profiled within the season and you do not have to make changes to your rules. Also, the longer that a behavioral rule runs, the more accurate it will be over time and you can then tighten the rule responses to capture more subtle changes, if required.

     

    Behavioral rules are good for detecting changes in consistent traffic or any data with repetitive patterns:

     

    • Large scale changes (services going offline, or new service traffic, slow HTTP or Get/Post attacks)
    • Catching early signs of D/DOS, worms, or malware traffic
    • Changes is traffic or connection behavior for important assets or VPN for connection monitoring for employee travel
    • Baseline changes for slow periods (upticks in late night mail traffic that could be suspicious, SYN traffic increases)
    • Failed backups, web server issues, application problems, etc.

     

    Read through this and let me know if you have further questions.

     

     

    Hi Jonathan,

     

    Thanks for the detailed write-up, really appreciated it!

     

    Some questions:

    1. Prior to creating the rule, we'll have to create a saved search criteria. Does the time range selected in the search criteria affects the behavior rule? Or does the behavior rule look at the search parameters of the search criteria only?
    2. Do we have to enable "Capture time series data" for the search criteria?
    3. How does the season length affect the test for current traffic, current trend and current behavior, since they are already testing on days, minutes and weeks respectively?
    4. How fast are we able to see the result of the rule, if the season length is set to a day? From day 2 onwards?
    5. The importance level is based on the percentage?
    6. How does the predicted value act as a baseline and affect the rule test? Since there are already importance value in place.
    7. If we do not want to be alerted on one of the traffic (e.g current traffic trend), do we set the value to 0?

     

    Apologies in advanced for so many questions asked. But, we really would like to understand more about behavior rule and see how it can bring value to us.

    Thank you so much!

  • JSWee
    JSWee
    53 Posts

    Re: Understand behavior rule

    ‏2016-03-29T09:41:16Z  
    • JSWee
    • ‏2016-03-10T08:23:37Z

    Hi Jonathan,

     

    Thanks for the detailed write-up, really appreciated it!

     

    Some questions:

    1. Prior to creating the rule, we'll have to create a saved search criteria. Does the time range selected in the search criteria affects the behavior rule? Or does the behavior rule look at the search parameters of the search criteria only?
    2. Do we have to enable "Capture time series data" for the search criteria?
    3. How does the season length affect the test for current traffic, current trend and current behavior, since they are already testing on days, minutes and weeks respectively?
    4. How fast are we able to see the result of the rule, if the season length is set to a day? From day 2 onwards?
    5. The importance level is based on the percentage?
    6. How does the predicted value act as a baseline and affect the rule test? Since there are already importance value in place.
    7. If we do not want to be alerted on one of the traffic (e.g current traffic trend), do we set the value to 0?

     

    Apologies in advanced for so many questions asked. But, we really would like to understand more about behavior rule and see how it can bring value to us.

    Thank you so much!

    Hi Jonathan,

     

    Any updates for this?

     

    Thanks! =)