Beyond Alerts: Building Host Behavior Fingerprints with Suricata Data

Community Announcements
1

Host Behavior Fingerprint: A New Direction for Suri Oculus 4.0

diff2
diff21536×1024 249 KB

Figure 1. Prototype of the Baseline Diff dashboard in Suri Oculus 4.0. The interface compares current host behavior with a previously established baseline and highlights significant deviations in network activity.

One of the features currently under development for Suri Oculus 4.0 is the Host Behavior Fingerprint (HBF) system.

Traditional IDS and IPS solutions are highly effective at detecting known attacks, malicious activity, and network anomalies. However, in real-world environments, security teams often face a different challenge: understanding not only individual events, but also the overall behavior of devices operating within the network.

Even relatively small networks can generate thousands of events every day. These include connections to external services, DNS requests, TLS sessions, HTTP traffic, and many other activities. In many cases, it is difficult to determine whether a specific event is truly suspicious or simply part of the device’s normal behavior.

This is the problem that Host Behavior Fingerprint is designed to address.

The core idea is to build a behavioral profile for each device using data collected by Suricata. Instead of focusing solely on individual events, the system continuously gathers information about the typical activity of a host and uses it to create a baseline behavioral model.

For example, a workstation may regularly communicate with corporate services, cloud platforms, software repositories, and update servers. A database server, on the other hand, will exhibit a completely different activity pattern. If a device suddenly begins to behave differently from its historical baseline, this may indicate a compromise, a configuration error, or the introduction of new software.

The first prototype focuses on the Baseline Diff view, where current host behavior can be compared with a previously established baseline.

The first component is the Host Behavior Fingerprint itself, which stores aggregated characteristics of a device’s network activity.

The second component is Baseline Diff. This mechanism compares current behavior with previously established baselines and highlights meaningful changes over time.

The third component is Confidence Score. Its purpose is to estimate how confident the system is that an observed behavioral change is significant enough to require administrator attention.

Particular attention is being paid to performance. Like other Suri Oculus components, the new functionality is being designed to operate efficiently on modest hardware and does not require a complex infrastructure composed of numerous services.

At the current stage, Host Behavior Fingerprint remains under active development and represents one of the key focus areas for the upcoming Suri Oculus 4.0 release.

I would be interested in hearing from security professionals and Suricata users.

Which host behavior characteristics do you consider most valuable for building device profiles and detecting meaningful deviations from normal activity?