ALIENDEV - New or Alien Device

Method description

This method is intended for the detection of a parasite device in the monitored network. There are two ways used to detect parasite devices.

During the configuration of the first one, you must set the filter that exactly corresponds to the IP addresses assigned to specific network devices (the KnownSegment parameter) and the filter (the LANFilter parameter) that correspond to the whole used network segment (including addresses that can be assigned by the DHCP server). If the KnownSegment parameter is empty, this way of detection is not used.

The other way of detection is to use simple machine learning methods. You must set the LANFilter parameter that defines the whole network segment (including the gaps). The ClosedSeason parameter determines how long the method should stay in the learning phase (during which the events are not generated). If a new device occurs after the learning phase, the event is generated. The device is removed from the classifier after TimeToDeath days of inactivity.

The second way of detection is also applicable to the MAC addresses that appear on the local network. Configuration of the detection based on the MAC address is separated from a configuration based on the IP address, but the ClosedSeasonMAC and TimeToDeathMAC parameters are applicable in the same way. The detection is performed only over the flows whose source IP addresses fit into the filter assigned to the detection method. It is necessary to realize that the MAC addresses are available only for the devices in the subnet which are limited by the closest router. The automatic configuration link-local IPv6 address with an embedded MAC address is used as an event source. Each IP address that was assigned to the device with the given MAC address is displayed as an event target (these addresses are limited by the filter assigned to the detection method).

This method consists of the following submethods:

• KnownSegment: Reports devices that are not a part of the user-defined list of known devices but whose communication was detected in the network. This detection is active if the parameters KnownSegment and LANFilter are set.

• IPBased: Reports new devices in the network using simple machine learning, based on their IP addresses. An IP address that has not been previously seen is reported. This detection is active if the parameter LANFilter is set.

• MACBased: Reports new devices in the network using simple machine learning, based on their MAC addresses. A MAC address that has not been previously seen is reported.

Method configuration

It is recommended to apply this method network-wide for all traffic on the network. The right place for traffic monitoring is the central switch.

Method parameters

• LANFilter: Name of the filter that defines the IP addresses used for devices inside the monitored network.

• ClosedSeason: Number of days dedicated only for the training of the classifier based on the IP addresses of the devices. No events are generated during this time. If the value of the parameter equals 0, the detection that uses the automatic classifier is disabled.

• TimeToDeath: Number of days during which the inactive IP address is stored in the list of the classifier.

• KnownSegment: Name of the filter that defines only the IP addresses of the active devices in the monitored network.

• ClosedSeasonMAC: Number of days dedicated only for the training of the classifier based on the MAC addresses of the devices. No events are generated during this time. If the value of the parameter equals 0, the detection which uses the automatic classifier is disabled.

• TimeToDeathMAC: Number of days during which the inactive MAC address is stored in the list of the classifier.

Assigned filter

The filter is used for the restriction of the source IP addresses.

Interpretation of results

This method can detect unknown (or forgotten) devices that are connected to the monitored network. This may indicate a new legitimate or rogue device in the network.