16. Módulos&disponibles&O&B
ANDS&&
Normal traffic clusterer
Searches for flows that don’t match normal
clusters of traffic
Clustering algorithm: Expectation-Maximization
Flow counter
Counts flows from every source to every seen
destination
Detects DoS, scans, force brute attacks…
TCP failure detector
Searches for anomaly transitions in TCP FSM
17. Módulos&disponibles&O&B
ANDS&&
Periodic connections
Searches for flows that appear periodically … …
Lot of malware shows this behaviour
Time behaviour
Models the hour of the day each protocol is used
It may predict the customer behaviour ! Similar
≠
to Windows SuperFetch
Bot detector
Specific traffic clusters for Bots-related traffic
The same than normal traffic clusterer but
malware oriented
18. SCADA&
Detector de anomalías para MODBUS
• Deterministic exchanges between MODBUS pairs
• Detection of deviations from normal behavior between pairs
• Detection of new unexpected MODBUS nodes
• Detection of unexpected communications between existent nodes
• Detection of unexpected adopted roles
21. SCADA&–&CyberGuerra&(s
in&conexión)&
1982 - Explosión en Siberia de una tubería de gas
La explosión no nuclear e incendio más espectacular vista desde el espacio
Thomas C. Reed, Ronald Regan’s Secretary of the Air Force, described in his book At The Abyss (Ballantine, 2004,
ISBN 0-89141-821-0) how the United States arranged for the Soviets to receive intentionally flawed process
control software for use in conjunction with the USSR's natural gas pipelines, pipelines which were to
generate critically needed hard currency for the USSR.
Reed stated that "The pipeline software that was to run the pumps, turbines, and values was programmed to go
haywire, after a decent interval, to reset pump speeds and valve settings to produce pressures far beyond
those acceptable to pipeline joints and welds."
24. INOVAÇMA&
KARÃO
IDENTIDAD Comportamiento:
Geo-localización Status:
" Multiples datos proporcionados por la red.
25. Localización&(zonas&habit
uales,&otros)&
Zonas habituales (casa,
trabajo…)
" Se pueden establecer zonas habituales del usuario de zonas nuevas o no comunes que
pueden utilizarse como parámetro de riesgo en ciertas transacciones.
28. SOC’s&Telefónica&
" Detección amenazas Multi-cliente
" Operación Unificada desde la Red
Seguridad en red
Telefónica Empresas España y Gestión de conectividad de incidentes en la red
" E2E Seguridad