Features and Benefits

CA Anomaly Detector goes beyond intrusion detection and other more static security tools to take a broader view of the network. The program can monitor your entire network from end to end. Instead of painstakingly applying a fixed set of rules to traffic, CA Anomaly Detector uses a set of dynamic algorithms to create and continually modify a unique profile of the network. The program uses this profile in combination with efficient mathematical analysis to determine whether network traffic is anomalous.
nfa1000
CA Anomaly Detector goes beyond intrusion detection and other more static security tools to take a broader view of the network. The program can monitor your entire network from end to end. Instead of painstakingly applying a fixed set of rules to traffic, CA Anomaly Detector uses a set of dynamic algorithms to create and continually modify a unique profile of the network. The program uses this profile in combination with efficient mathematical analysis to determine whether network traffic is anomalous.
In addition to detecting suspicious or damaged packets, CA Anomaly Detector identifies abnormally high flow and volume sources that can indicate a variety of issues. The program easily scales to create integrated monitoring and reporting across your enterprise. You receive alerts about potential problems, such as:
  • Infected hosts
  • Victims of infected hosts
  • Unauthorized application servers
  • Misconfigured servers
Operating in real time, the program identifies fan-out, SYN-only, and ICMP flood traffic that usually indicates a spreading virus, worm, or port-scanning activity. The program also alerts you to:
  • Null routing and TTL-expired traffic--helping you identify poorly configured ACLs or routing loops
  • Large ICMP or DNS packets that may indicate tunneling activities
  • Sources of fragmented packets that double-load network devices and that can ultimately result in retransmission of TCP traffic. These symptoms can signal a frag attack. Knowledge about such sources enables you to make configuration changes that can improve network or application performance.
The program reports only the essential data you need to secure your system and stop intrusions, other security issues, and performance problems. Report views are shown in the Performance Center console, where they contribute to an enterprise-wide perspective on network performance and health.
CA Anomaly Detector provides the following benefits:
  • Trending, with per-host breakdown of anomaly sources for timely, precise troubleshooting
  • Enterprise-wide correlation of anomalous behavior, broken out per host so you get a full perspective of how key servers behave
  • Identification of attacks before symptoms appear so you can prevent of downtime; isolate viruses quickly, and resolve problems
  • Accurate and complete data, collected by leveraging existing flow collection infrastructure for easy installation and configuration
  • Lightweight reporting of essential data, giving you quick access to crucial information for identifying anomaly causes
  • Integration with the following related products for enterprise-wide reporting on network health and application performance from a single console:
    • CA NetQoS Performance Center or CA Performance Center
    • DX NetOps
    • CA Application Delivery Analysis
    • CA NetVoyant
    • CA Unified Communications Monitor
Probability Thresholds
CA Anomaly Detector uses a sophisticated mechanism to help avoid false positives, minimizing the number of alerts that do not correspond to true anomalies. The program uses probability threshold settings that you can customize to control the sensitivity of alert triggering. The thresholds are called probability thresholds because they are keyed to the probability that an actual anomaly has been detected.
In addition to a probability component, the threshold mechanism also relies on the following factors:
  • A unique network profile that is based on statistics and the observation of typical operations
  • Configurable alert levels, which are a function of the unique profile
  • Statistical analysis to determine whether observed network behavior is anomalous or is within the normal range
To determine whether current data is anomalous, the detection process takes all previous data into account to create a statistics-based network profile. Using the profile as a reference, the anomaly detection process estimates and prioritizes any potentially anomalous network activity, based on percentiles and calculates the probability that the observed behavior is anomalous. The entire system is dynamic: It is updated each time it runs to ensure reliability and accuracy.
Correlated Anomalies
Correlated anomalies reduce alarm overload and help cull out false positives so you can focus on the events that are most likely to be issues. CA Anomaly Detector provides an
Enterprise-Wide Correlated Anomalies
view that highlights correlated anomalies. You can navigate from this view to more detailed information while you investigate. A correlated anomaly meets the following minimum requirements:
  • Contains three or more anomaly instances
  • Has an anomaly index of 2.0 or more
  • Originates from a single device
An anomaly index of 2.0 or more indicates the presence of two or more primary anomalies or one primary anomaly and two or more secondary anomalies.
This cross-data source, temporal clustering provides actionable workflows that support a fast, proactive response to issues.