This article can also be found in the Premium Editorial Download "Information Security magazine: Betting the house on network anomaly detection systems."
Download it now to read this article plus other related content.
The following is a representative list of pure-play network anomaly detection systems vendors and products.
Arbor Networks - www.arbornetworks.com
Peakflow monitors network traffic for deviations in load, providing insight into changes in network behavior.
Captus Networks - www.captusnetworks.com
Captus IPS 4000 series is a combined solution for network management and security, which prevents DDoS attacks, port scans, unknown worms and unsanctioned traffic.
Lancope - www.lancope.com
StealthWatch provides enterprises with a hybrid anomaly detection and response system that bases its actions on behavior deviations and protocol analysis.
Mazu Networks - www.mazunetworks.com
Its two products, Profiler and Enforcer, work in concert to monitor for deviations and automatically respond to threats.
Q1 Labs - www.q1labs.com
QRadar provides security managers with a continuous analysis of network traffic flow, giving real-time analysis of traffic type and bandwidth consumption.
Narus - www.narus.com
Born as a network management company, Narus provides anomaly detection products and technology to carriers.
netZentry - www.netzentry.com
Its FloodGuard technology provides enterprises with non-signature-based defenses against DDoS attacks, botnets and syn floods.w
Place a Small Bet on NADS
NAD devices are powerful knowledge tools for expert network operations people with enterprise-specific contextual knowledge. These systems can help enterprises learn about the traffic and behavior of their network. Even though they can catch detailed events, such as a new service opening up, a new protocol appearing or a new machine connecting to the network, these events are too common to have value in larger enterprises. NADS shine where obvious behaviors — like when a worm-infected machine spewing attack traffic or a DoS attack — are under way. The value these systems offer for addressing more subtle behavior is dependent upon the knowledge and experience of the operator. Under the right circumstances, NADS provide a wealth of network behavior information (protocols, ports, services, throughput, latency, etc.) that can be used to understand what's really going on in your network.
While network operations and security experts may find this cornucopia of network information empowering, it may be overwhelming to a person without the context and tribal knowledge of the enterprise-specific network infrastructure.
This was first published in July 2005