ÆCID is a partially self-learning, whitelisting-based anomaly detection system operating on log file collections in computer networks – scalable from small industrial control systems to large-scale enterprise infrastructures. ÆCID digests log output from the network layer (e.g., firewalls, switches, routers) and application layer (e.g., Web servers, DNS, application servers etc.). It detects anomalies of various kinds, including unusual single events, anomalous event parameters, deviating event frequencies, and – most important – suspicious violations of trained event correlations. It can notify operators via numerous channels about discovered anomalies.
Advantages of ÆCID
- Self-learning – no human effort for manual definition of rules, thus easier set up and cost efficient maintenance.
- No specific parsers – ÆCID uses a patented solution to build up system behavior models to understand relevant events and their relations.
- Effective applicability in legacy systems and systems with low market share – through self-learned model instead of manually defined parsers.
- Correlation of events across systems, protocols and layers – ÆCID understands events of varying abstraction levels and can use multiple mining instances for increased scalability.
- ÆCID does not replace an existing security solution – but runs in parallel and can be connected to SIEM solutions