Strengthen your security...

Anomaly Detection Framework

CounterStorm’s Unsupervised Parametric Anomaly Detection (UPAD) Framework is an extensible and modular architecture for anomaly detection.  This DHS and DoD funded technology was developed to power multiple anomaly detection engines to model network traffic packet and flow features. Deployed in government networks for the past 3+ years, the framework ensures the detection engines accurately identify malicious network traffic that is missed by signature- and rules-based security tools.

UPAD Anomaly Detection Framework Benefits:

  • UPAD operates without supervision to build statistical baselines of normal activity.  UPAD is capable of training over dirty data, so the detection engines do not require a pristine environment to train in. Additionally the baselines built by UPAD adapt over time as the environment changes.
  • A multi-vectored solution, UPAD can employ multiple anomaly detection algorithms, each independently measuring how much different event characteristics deviate from the normal baseline.
  • The UPAD framework is the basis for CounterStorm’s flow-level and content-level anomaly detection, and has also been used for host level anomaly detection, as well as database user behavior modeling.
  • UPAD supports sophisticated conditional modeling, so that statistical baselines can be built to highlight specific types of network or application activity. For example, UPAD can build multiple anomaly detection modules for traffic flow based on source and destination address ranges, ports and protocols.
  • UPAD is very extensible. The ability to enhance threat detection via arithmetic, accumulation, or labels makes UPAD an ideal research and development framework for security ISVs and system integrators.
  • UPAD facilitates the aggregation and suppression of alert bursts to improve the accuracy of the anomaly information and the ability to streamline the workflow associated with utilizing anomaly detection technology.