Network behavior-analysis

Unanswered Question
Aug 12th, 2008

Hi, In our organization management want to implement the Network Behavior-analysis.And they are requesting us to send the some documents on this.

can any one help me on this.

iam at zero level regarding this technology. iam not even know that, is this technology is a tool or something else. please send some document on this.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

MARS is one big solution for Network Behaviour Analysis. Have a look at the doc attached..

Today, main goal of the administrators is to have a tool, which coule do the analysis on their part, and could give a BOTTOM line of the incident/anomaly. Consider a network admin taking care of mutliples of routers/firewalls/IPS etc, and has to go through each log from each device seperately for any issue, and even to predict any issue, is some thing impossible for a human being.

So Network Behaviour Analysis tools (MARS is a tool, which makes use of existing techonolgies/methods like SNMP/FTP/TELNET to retrieve events from the devices (Routers/Switches/FWs/IPS and list goes till Workstation XP/2000 e.g), and CORRELATES (compiles the event's and find the similar ones and make them 1 SESSION)them, to present a single line statement to the administrator that something has happened in the network.

Second part of the NBA tool like MARS is to detect any anomaly, meaning, if nothing bad has happened yet in the network, there is something that is going to be done bad. For instance, if a port in the network switch starts using 90% of its traffic volume limit, and stays in that condition for some time, this could be a syptom of a virus starting to get spread in the network, or some sort of broadcast strom that could be triggered from this port. Hence the MARS detects the analomy, and provides precautionary steps to avoid some thing like this to happen in the network.

So, NBA is the superset of "Network events" and "Network behaviour anomaly".


Farrukh Haroon Wed, 08/13/2008 - 01:54

I really don't agree with your statement here:

"MARS is one big solution for Network Behaviour Analysis" Perhaps a more fair comment would be "MARS is great at SIM/SEM/STM and does provide 'some' Network based Behavior analysis features".

Does it support Cflow,Sflow, what about the reports? And some of the other fancy stuff offered by the products mentioned in the network world link?



Well, it all depends on the requirement. If it gets fulfilled by Netflow, why would some one bother to go for Sflow or Cflow?

And if its about being futuristic, then yes, but again, some fancy stuff like, "Flexible netflow" and "IPFIX" is not even mentioned in the network world link? so does it mean that those products are just "great" not "big" solution? May be its just a word game, but as i said, NBA is not just anamoly detection, but it is the superset of event generation/correlation and anaomaly detection.



Farrukh Haroon Wed, 08/13/2008 - 03:07

Thank you for your valuable comments, I assume by 'futuristic' you mean 'scalable'?

Because CFlow or SFlow or not things of the future, they run on hunrdreds of networks :)

A good consultant always proposes a scalable solution (subject to cost/other constraints) :). I myself proposed someone the MARS solution (on this same forum) but after looking at it closely in terms of Traffic analysis......

Take Care


Farrukh Haroon Wed, 08/13/2008 - 11:09

By the way, I just got an email from Solarwinds that they are offering a free Netflow Analyzer supporting Netflow/Cflow/Jflow.



P.S. I have no affiliation with Solarwinds :)


This Discussion