StealthWatch employs a completely different approach to traditional IDS, based on signature recognition. Instead of looking for signatures, it 'learns' what kind of activity is normal on your network and looks for abnormal events. Behavior-based IDS has some advantages over signature-based IDS, because less processing power is required and previously unknown attacks can be detected.
StealthWatch monitors the data flows between hosts and builds a database of statistics. When installed, you need to wait at least 24 hours to collect statistics on your network traffic. Then, you can examine the database to confirm manually that the activity seen was normal. This takes quite a bit of time and effort, but you only do this at the beginning. Then you can manually fine-tune if some abnormal activity is acceptable between certain hosts but not others.
Once you are certain that the activity seen is normal, you can lock down StealthWatch on this sample of normal traffic flows. After that, alerts are generated when anything out of line with this baseline activity is seen. If traffic patterns change at a later date, re-tuning the baseline usually takes much less time than it did initially.
StealthWatch uses a number of parameters to determine what is normal - for example, per-host traffic levels - and then comes up an alert based on a Concern Index, which indicates how serious StealthWatch considers the suspicious activity. The Concern Index is based on statistical comparison of network traffic with what has been established as baseline normal activity.
Instead of alarming system managers with every probe, port scan or ping, StealthWatch builds a profile of each suspicious host before assessing its threat by calculating the Concern Index. As soon as the Concern Index exceeds a predetermined value, StealthWatch generates alerts by email, pager, SNMP traps, etc.
StealthWatch is supplied as an appliance based on a standard rack-mounted Intel PC platform running a hardened version of Linux. This can be supplied with various NIC configurations, with the top of the range having two separate gigabit monitoring interfaces and one 10/100Mbits/sec administration interface.
Initial configuration is performed by connecting a monitor and keyboard directly to the StealthWatch hardware. After that, StealthWatch is managed through a web-browser interface from any workstation. Communications with the management interface are secured using SSL.
The reporting facilities are excellent. There is a very graphical approach to reporting, with timeline-based graphs of activity, and adequate information is available for subsequent forensic analysis. The flow data is archived to a log file and kept for up to 30 days.
