Ever since version 5.4 of nBoxes with the Enterprise L license it’s been possible to use a new feature called Behavior Analysis. Let’s see what it is and how to take advantage of it.
This ntopng feature enables monitoring of periodic flows of network traffic, i.e., flows that frequently repeat, by highlighting the services it contains, and thus identifying the most frequently used applications.
Let’s see how to enable Behavior Analysis through the ntopng WEB GUI. You’ll need to go to Settings Menu > Preferences and enable the switch called Enable Traffic Behavior Analysis.
Enabling this feature then activates two new submenus in the Maps Menu called Service Map (which will contain all the services detected within a network) and Periodicity Map:
which will highlight those flows that are most frequently detected and repeated over time. Check out the picture below:
where it’s clear that inside the network flow we’ll be able, for example, to identify a Dropbox and/or BitTorrent flow from a host to the related destination which is a gateway, recognized by the relevant icon
The Behavior Analysis along with its related Alert provides a way to detect what are called Lateral Movements, and therefore gives us the ability to detect traffic flows that might identify an ongoing compromise of systems under our administration, or of a flow not in compliance with our corporate policies.
Did you read this article because you’re knowledgeable about networking? Do you have the skills necessary to manage networks? We’re currently hiring for roles like this as well as other roles here at Würth Phoenix.