Araknos
AkabSensor - Intrusion Detection

The Akab architecture is based on AkabSensors - a family of appliances for management of network data both directly acquired or received from other network appliances/applications.

AkabSensors have crucial role in system monitoring as they provide data to various Anomaly Detection and Event Correlation algorithms run in other higher level appliances.

The AkabSensor family consists of various specialized appliances divided in two groups, Security Management and Network Management appliances: security audit (AS-SA), intrusion detection (AS-ID), bandwidth management (AS-BM), traffic monitoring (AS-TM), and log server (AS-LS).

All AkabSensor appliances for Network Management (BM, TM and LS) are available in stand-alone configuration as well.

 

Features

AS-ID monitors and analyses network traffic to detect possible intrusion attempts/attacks.

AS-ID can operate in two modes: "signature-based" and "anomaly-based".
Collected data are stored in raw form and in SQL format for subsequent analysis or forensic.

 

Modes

Signature-based
AS-ID real time acquisition of network traffic allows to compare its characteristics (protocols, source, destination ,...) and packet contents (payload) through a set of rules with traffic patterns (signatures) identified as abnormal. Such comparison with known attack/intrusion traffic patterns permits the identification of unauthorized access and fraudulent attack attempts

Anomaly-based
AS-ID checks traffic (quantity and quality) and behaviour (protocols and applications) patterns to detect possible anomalies.

 

Events and AKevents correlation

AS-ID allows to define filters and correlation rules for detected events which generate Akevent alert messages upon identification of suspicious traffic content.

 

Updating rules and signatures

To ensure high efficiency and effectiveness AS-ID requires signatures and rules to be checked and updated regularly.
Updates are performed automatically through direct connection to Araknos central system that checks and runs the appropriate updates if necessary.

 

Data visualization

Visualization of AS-ID data is structured in various reports that can be accessed through a Web-based GUI and be farther customised and filtered according to different temporal and traffic criteria.

 

Configurable reports

Attackers, main types of attacks, main target of attacks, ...

 

High Availability

To ensure proper and continuous network function every AS-ID appliance is supplied with a secondary twin stand-by appliance (fail-over) that automatically becomes active if, for any reason, the primary appliance is not able to function properly.
 

Technical Documentation