DarkSniper Anomaly Detection

Because the AI system is able to learn its way around the network and record, measure and analyze normal activity on its own, it is perfectly suited to help monitor and notify against potential cyberattacks.

With its measure of normal network behavior (performance, bandwidth and availability, etc.), the AI could detect an unusual spike in requests or other data that represents attacks such as Denial-of-Service, ransomware, or other types of intrusions. 

An AI system can also measure and categorize normal network traffic, using predictive analytics to profile the typical user base and resource utilization. A cyber-attack may look like normal external network activity in some ways, but could have a few specific characteristics used to help mask its source or hide its intent. Machine learning is very useful for finding these very small differences between normal activity and activity that’s not normally seen on your network. 

Hostname Profiling

The product builds a comprehensive and detailed profile for each IP/Hostname in the target network. The DarkSniper extracts flows for each connection and then build gradually the profile based on a set of different attributes such as, but no limited to the following:
• Source IP,
• Destination IP,
• Destination Port,
• Protocol,
• Bytes Ingress and Bytes Out,
• Size of the flow,
• Duration of the flow,
• Periodicity of the flow,
• Time between connection flows

However, the profiling could be categorized based on the service type as shown the shown diagram.

DarkSniper Interactive Dashboard

The detailed graphs, records, or reports can be extracted for the overall categories or for specific service. The tool builds a visualized output from the collected data for ease of understanding the communications and extract in-depth visualized graphs and details, as shown in the left figure.

DarkSniper Main Processes

This figure illustrates the overall process of DarkSniper is start by collecting logs from the local network and extract the flow and Meta-Data with its full details for each single connection. The stored Flows of each IP/Hostname will be an input for the “Cluster Construction” phase. This phase will be responsible to understand the normal behavior and identify the Thresholding of abnormal traffics. Then, a “Behavior Profiling” will defined for each IP/Hostname and stored in a database. The DarkSniper will use the profiling details to monitor the live connection and build a right conclusion of the received traffic (Normal | Abnormal) and take the right decision to block or allow the IP/Hostname.