The CyberSift Packet Capture Parser — TCP Stream and ASN Bytes Anomalies

This article is part of a series on the CyberSift Packet Capture Parser. In this article we’ll give an overview of two anomaly detection modules; the “TCP Stream Bytes” and “ASN Bytes” modules

Monitoring for anomalies within bandwidth is quite important since it can uncover various malicious activities such as data ex-filtration, or post exploitation activities such as using your infrastructure for spamming or illegal warez. As previously discussed, the packet capture parser detects simple anomalies using the 95th percentile rule. We apply this rule to bandwidth anomalies by monitoring

• The amount of bytes transferred within a TCP stream
• The amount of bytes transferred in aggregate to a BGP Autonomous System.

Both modules work in a similar manner — if the bandwidth transferred by a particular TCP stream or ASN is higher than 95% of the rest of your data, it is flagged as an anomaly. In the screenshot below we see this in action for TCP Streams:

The graph is interactive, allowing you to zoom in, scroll around and hover over the various bars. As shown above, hovering will show additional details describing the stream, mainly source IP address, destination IP address and destination port, and the amount of bytes.

“Normal” streams are simple blue bars, while “anomalous” connections are marked in red. Clicking on a bar will redirect you to the relevant IBM X-Force entry for the destination IP address so you can assess if this is a malicious connection or not.