Success with 802.3bz

- Posted in Network Solution by

In 2016, the IEEE ratified a standard for pushing higher data rates over copper cabling. 802.3bz provides for 2.5 Gbit/S for 300 feet over Cat5e and 5 Gbit/S for 300 feet over Cat6. 802.3bz is available in commercial gear today. Cisco calls it mGig. Aruba calls it Smart Rate, and combines 802.3bz with optional 802.3bt, 60W Power-over-Ethernet.

Access points are really fast, now—particularly with 802.11ax. Even lower-end models are fast enough to outrun a gigabit connection. The problem can be addressed by running two, bonded 1-Gig connections to each AP. With 802.3bz, it may be possible to reuse the existing wiring and push it to 2.5 Gbit/S.

It works! We’ve been deploying a lot of it this past year. But, what about the cost? In order to push 2.5 Gbit/S (or 5 Gbit/S), you will need an access point that supports 802.2bz and a switch port that supports it, too. An 802.3bz deployment will save the cost of one network drop and one switch switch port for each AP, when compared with a bonded, 2 Gbit/S configuration. Assuming the same AP in either case, here are the relative costs:

enter image description here

What this says is that if you’re running two drops and using two switch ports, it will cost you just a little less to use 802.3bz. If you already have an existing network drop going to an access point, then it would be less expensive to run a second drop and consume another switch port. But who wants to do that! What a mess…

  • Kevin Dowd

Dynamic port configuration in Aruba OS-CX switches

- Posted in Aruba Network by

Aruba's OS-CX switches have the ability to profile devices connected to ports and dynamically assign roles and policies (ACLs) to those ports. The ACLs can include the usual stuff--filtering on source, destination and protocol. But, they can also include configuration parameters like VLAN assignment.

Here's a simple example that can be useful when deploying access points with bridged VLANs. In this example, the switch makes a profile of the connected device using LLDP (you can use CDP, too), parses the response and assigns a role to the port. The role has policies that assign VLANs.

To see how this would work, let’s say that we have an access point on port 1/1/10. Examining the LLDP query on the port, we get the following:

enter image description here

In our test for the presence of an AP, we will search the description for "IAP". To make the example a little more interesting, we will also skip any AP-305s we might find. The following are rules that will match our LLDP port access test. These are arranged like a sieve; the first pattern that matches wins.

 port-access lldp-group AP-lldp-group
      seq 10 ignore sys-desc 305
      seq 20 match sys-desc IAP

Next, we define the role and the policies that we want to associate with access points that match the above port-access tests. The block below says that the role is called "lldp-AP," and that the policies "create a trunk and allow VLANs 12,22,40 and 100, and make 100 be the native VLAN."

 port-access role lldp-AP                                                                                                                                                                   
     vlan trunk native 100                                                                                                                                                                  
     vlan trunk allowed 12,22,40,100               

This last section is the glue that pulls the port-access tests and the role assignment together. It says "if the device on port x matches AP-lldp-group tests then assign the role of lldp-AP."

 port-access device-profile AP-lldp-devprofile                                                                                                                                              
     associate role lldp-AP
     associate lldp-group AP-lldp-group

Dynamic profiling can be applied to other kinds of devices too, including printers, projectors and phones. When used in conjunction with Aruba Central or NetEdit, elements of the policies and port-access tests can be described using variables, such as this:

 port-access role lldp-AP                                                                                                                                                                   
     vlan trunk native %_native_VLAN%                                                                                                                                                                  
     vlan trunk allowed 

When used in conjunction with ClearPass and controllers, the ports can implement enhanced profiling, role assignment and dynamic segmentation whereby VLANs that don’t even exist on the switch can be tunneled from other parts of the organization.

Network Infrastructure is Changing

- Posted in Latest Technology by

Network Infrastructure is Changing

Last year's switches are very appliance-like. They're a narrow mixture of layer-2, layer-3 and Power-over-Ethernet features--just as they have been for about fifteen years. Switches you might buy this year will behave like last year's when you need them to; you can still program them individually at layer-2 or layer-3 using the command line. But, they're different.

As with phones, cars, televisions, and other electronics, network switches (and access points) have benefited from great increases in computing power. New devices run general purpose operating systems in lieu of embedded firmware. They're built upon supercomputer-speed hardware. So, in addition to switching and routing, they can do general-purpose computer-like stuff, and they can be extended in their capabilities.

Like what? The best-hyped new capability in network equipment is AI. This is the ability to leverage observations taken in the past and apply them to your network in the present. Moreover, it is the ability to pool and organize observations across many organizations' networks to increase the network's resilience for everyone. This includes giving the network the power to recognize issues and heal itself.

Switches are smarter in non-AI ways, too. We've had NAC for a long time (and barely used it). Now, you can program the switches to recognize and classify a device, such as a printer or AP, and assign it the appropriate VLANs and permissions--all by itself. Switches can often apply ACLs and bandwidth restrictions without the help of a central authentication server.

Switches needn't be configured onesy-twosy any longer. Consistency in configuration, visibility, resiliency can be managed for the whole LAN or WAN, all at once. This is possible from the local or cloud-based managers. Software-defined networking--once the stuff of expensive data center switches--is right beneath the surface on many of these devices. The ability to create arbitrary logical network architectures, to safely extend encrypted VLANs from far-away cores and the ability to secure it are available, if you want to use it.

Wireless has advanced remarkably, too. Controller-based and hive (virtual controller) wireless is being supplanted by WiFi networks in which every AP is its own controller. Consider that if every access point has a 2.5 or 5 Gbit/S interface of its own, then centralized operation and switching will to become a liability for larger deployments. In the latest paradigm, AI and central configuration services manage and update the network, but the traffic is bridged onto the LAN at wire speeds by the access point, cooperating with neighbors, but acting on its own behalf.

Three features of WiFi6 are going to make today's wireless networks unrecognizably fast, tomorrow--especially in dense deployments. The first is modulation techniques, particularly QAM-1024, that push wireless into the gigbait+ range with a reasonable number of antenna chains. BSS Coloring greatly increases the efficient use of crowded radio space. OFDMA, which allows the sharing of transmissions between clients, can provide greatly improved transmission-cycle efficiency. If that's not all enough, WiFi6E is out with new spectrum in the 6GHz range, included very wide channels (up to 320 MHz) for huge performance. Look back at some of out earlier communications to learn more about these capabilities.

Spanning Tree Protocol and Broadcast Storm

- Posted in Network Solution by

Problem we are trying to solve: repeat traffic over the same link, particularly broadcast storms. If a layer-2 network has a loop, the same traffic may be forwarded over the same physical network segment repeatedly until its time-to-live expires. Network loops can bring a network down by buying it in traffic.

A collection of switches can be organized into a spanning tree. A spanning tree is a concept from graph theory that describes paths to interconnect all nodes without creating cycles (or loops). So, for instance, nodes A, B,C and D can be interconnected in multiple ways, including:

enter image description here

The topology is a tree. Spanning tree protocols detect cycles (loops) by listening for Bridge Protocol Data Units (BPDUs), which are messages that start at a node designated as the root, and propagate through the tree. When a repeat BPDU is detected, a node makes a calculation about which is the best propagation link among the duplicates. The other, duplicate links are placed into a blocking state. By this mechanism, a spanning tree can be formed among arbitrarily interconnected nodes.

Spanning tree protocols have been used to create resiliency in networks; if one of multiple links goes down, spanning tree protocols may resurrect another. However, multi-path resilience built from link aggregation groups--multiple links cooperating as one--provide combined bandwidth and faster convergence, and are a better design.

Loop detection is a single-switch capability for detecting the interconnection of two or more ports through a another device that doesn't participate in spanning tree. Imagine, for example, two Ethernet ports in a classroom being looped through an unmanaged desktop switch; loop detection will shut down one of the ports.

-Kevin Dowd

What is EduRoam

- Posted in Education Technology by

What is EduRoam?

EduRoam or Education Roaming is a global wireless network access service developed for the international research and education community. It allows students, researchers and staff to obtain internet connectivity across campus. When visiting other participating institution, they can easily connect to the internet by opening their laptop and use their home institution credentials.

EduRoam uses the IEEE 802.1X protocol (WPA2-enterprise) and a system of interconnected RADIUS servers, with the main U.S. node operated by Internet2 in collaboration with the global Eduroam community.

Why do you need EduRoam?

We live in the world where WIFI access is a necessity in institutions, businesses or campuses. With Eduroam, this will make your venue more attractive for meetings or conferences as it allows participants to access network without assistance.

EduRoam is secured and can give an access to thousands of participating hotspots globally.

The cost of implementing and maintaining EduRoam is fair and acceptable. It can help reduce cost and workload for IT Department such as the need to supply temporary accounts to visiting users. Less work can mean less headaches for your IT or Administrative people.

The log-ins are secured which means that passwords are kept private at all times and misbehaving user can be always identified with the help of their home institution.

Overall, EduRoam makes it possible for visiting students, staff and researchers use their EduRoam credentials to access secured WIFI quickly and easily without (or at the most minimum) assistance and support.

How do you deploy EduRoam?

The basic process to set up EduRoam is as follows:

  • The school or school district registers with EduRoam and verifies identity and domain control.

  • Once registered they are given credentials to an administration page which allows them to associate their domain with an IP address for their RADIUS server. They are also given a pre-shared secret for their RADIUS server to authenticate to the EduRoam RADIUS servers.

  • The internal RADIUS server needs to handle three scenarios of clients authenticating on the EduRoam SSID. o A local user is attempting to authenticate - no need to involve EduRoam's RADIUS' servers.

    o An external EduRoam visitor is on-campus attempting to authenticate. Authentication is sent to EduRoam's RADIUS servers, expect return response.

    o A local user is visiting or "roaming" off-campus. Authentication attempt is received from EduRoam's RADIUS servers, need to authenticate and return response.

Who Ya Gonna Call?

- Posted in Network Solution by

Who ya gonna call?

When there's something bad and it doesn't look good. Who ya gonna call? You contact the manufacturer. Nothing gets resolved. This blog entry is about ten WiFi puzzles we've been invited into over the last year or so. I leave the names out. A few of them aren't even our regular customers.

Case 1: School A, no address disclosed, has a problem with Chromebooks using a shared PSK SSID. Some of the kids can get on. Some can't. All other devices seem to be fine. Diagnosis: the manufacturer's wireless intrusion prevention saw many different devices logging in with the same ID and password and shut them down, thinking that they were massing an attack. Resolution: Disable WIP for this case.

Case 2: School B, no certain address, most kids can't Zoom, can't stream. But some are fine. Diagnosis: school had installed a new LED lighting system over the summer. Non-802.11 communications or noise (makes no difference to the WiFi clients) spiked across the upper part of the 5 GHz spectrum at arbitrary times. Resolution: enable DFS channels and move 5 GHz traffic away from the lighting system.

enter image description here

Case 3: School C, address withheld, can't stream reliably, can't Zoom reliably--all devices affected. Short sessions 'appeared' to be okay. Diagnosis: another vendor had increased the basic WiFi rates and minimum negotiated rates too high. This caused clients to hang onto sessions that were unsustainable and led to high frame loss. Resolution: relax the basic and negotiated rates to make the network useful again. Raising rates is just voodoo, anyway; clients roam when RSSI gets low, not when there's no lower rate choice available.

Case 4: School D, location unknown, WiFi was no good on the second floor. Diagnosis: this was a small school with two floors in a crowded city environment. Resolution: enable band-steering for the 5GHz band and disable 2.4 GHz upstairs.

Case 5: School E, name changed for security, lost WiFi connectivity in some areas of the school every day at the same time. Diagnosis: a manufacturer update had enabled DFS channels. This school was on the glide path to a large airport. One particular 5 GHz channel was re-abandoned every day at the same time as a daily flight came in. Resolution: Disable DFS channels.

Case 6: School F, not the same address as the last one, lost WiFi connectivity every day at the same time. Diagnosis: inspection of AP logs showed that access points lost contact with their controller two or three times a day. Resolution: we found a loop in an MDF that caused a broadcast storm on the wired network. This caused the APs to lose contact with the controller. Not sure why nobody noticed everything else grinding to a halt...

Case 7: School G, address confidential, had 'spinning' WiFi in certain parts of the building. Diagnosis: during a renovation, builders were to remove all of the old access points (and pretty much everything else). They missed a few. When the renovations were complete, and the new switching was installed, the old APs found the controller and began advertising SSIDs. The problem was that these APs weren't supposed to exist, and the networks they were offering weren't trunked to them (these were bridged SSIDs; not tunneled). Students could connect at Layer-2, but that was it. Resolution: shutdown the old APs.

Case 8: School H, address also withheld, had student WiFi that was unable to reach the Internet for some, not all, students. Diagnosis: This was a small school. The wired LAN was bridged to the WiFi network (by design). One day, a teacher had plugged a consumer-grade WiFi router into the wired network. This router began handing out 192.168.0.x DHCP assignments to students as they joined the 10.x WiFi network. Resolution: Unplug the router.

Case 9: School J, address unknown, had bad WiFi in the auditorium. Diagnosis: the auditorium had an impossible number of interfering access points, all with omni-directional antennas. Resolution: shut some of them off and think about partitioning the space with directed coverage for wireless access.

Case 10: School K, wouldn't want me to disclose their address, had "bad WiFi". People "had to reboot," etc. Diagnosis: school had multiple, uncoordinated DHCP servers handing out overlapping network addresses from the same scope. Resolution: Really?! C'mon! Who ya gonna call?

What is Outdoor WIFI

- Posted in WAN/LAN by

enter image description hereWhat is Outdoor WiFi or Long-Range WiFi Network?

Outdoor WiFi are low-cost setups that can help improve your internet connection throughout your property; This set up gives you the ability to access a network from miles away - whether it’s to share the internet connection with another building or simply extend the WiFi signal outside.

To provide outdoor WIFI to an area adjacent a building, there are two approaches:

1) exterior, weatherproof, purpose-built access points, mounted on the outside of the building.

2) interior access points mated with exterior antennas. The AP is inside the building; the antenna is outside.

Often, you will choose an AP or antenna with a sector radiation pattern that directs coverage away from the building and out into an open space.

The AP or sector antenna might create a 30, 45, 60, 90, or 120 degree horizontal wedge. The narrower the antenna pattern, more concentrated the power from the transmitter. This concentration is expressed as the antenna's gain factor. An antenna with a narrow sector pattern can provide service for many miles over a smaller coverage area.

In the US, the effective radiated power output is limited to 100 milliwatts, by law. When you pair an antenna with an access point, you will have to program a gain factor for the antenna. This will be provided by the antenna manufacturer. The gain value tells the transmitter to reduce output power to remain within the law.

Antenna extension cables and connectors can cause losses between the transmitter and the antenna. With long antenna cables, you may have to reduce the programmable gain to make up for the losses. It is better to extend the Cat5e or Cat6 data cable that provides data and power to the access point than to extend the antenna leads.

When choosing a location for an exterior antenna or AP, it is best that there be line-of-sight between the antenna and the area to be covered. Trees and other structures will attenuate radio signals, particularly for the 5 GHz bands.

It is also very important that the near-field of the signal be unobstructed. Roof edges, building overhangs and corners can interfere with the radiation pattern.

Picture a pebble dropped into the water. Ripples will radiate evenly in all directions. Now, picture the same pebble dropped into water with rocks. The ripple pattern will be disturbed by the reflections from the obstructions. We want to avoid the same kind of reflections with WiFi.

To cover an open space with many access points, such as a quadrangle, it is better to mount the antennas high and aim them downward, toward the ground. This is the same approach that one would take if installing outdoor lighting, careful to light each area independently.

To provide WiFi to locations far away, a wireless bridge or mesh may be desired. An access point located on a building can create a back-haul link to a distant access point or access points.

When there is one access point at the far end of the back-haul link, we call this a point-to-point connection or bridge. When there are several, we call this point-to-multipoint or mesh. The distant access points may provide local service as if they were wired.

Often, with a dual-radio access point, one radio is used for the back-haul network. The other is used to provide WiFi access. Sometimes, you will use a high gain antenna for the back-haul radio and an omni-directional antenna for user WIFI. You may also let down a wired connection for a camera or switch.

There must be electrical power available at the far end of the link. This can be hard-wired AC power or provided by a power injector depending on the AP and the application. A typical access point plus camera installation will include two power injectors--one for the AP and one for the camera.

In an WiFi infrastructure, APs that form the bridge or mesh are managed by a wireless controller or cloud just as the campus APs are. Sometimes, instead, an inexpensive third-party bridge can be used to extend the campus network. Devices located at the far end, including access points, will not be aware of the third-party wireless bridge.

A typical bridge or mesh configuration will use a 5 GHz link for back-haul and 2.4 GHz for local service. The expected speed in a nearby, line-of-sight application is often just over 100 mbit/S.

Bridge and mesh products that use 24 GHz or 60 GHz radios are also available. These feature back-haul speeds that in the 1 gbit/S range. The wavelength of a 60 GHz signal is just 5mm, which is less than the width of a large raindrop or a snowflake. Because of this, 24 GHz and 60 GHz transmissions are subject to 'fade' or failure in rain, snow or fog. For this reason, 60 and 24 GHz bridges are often packaged with 5 GHz fall-back radios.

A bridge built from 900 MHz radios can penetrate trees and weather much better than a 5 GHz radio, but with much narrower channel width, measured in 100s of kbits/S.

Local outdoor coverage, bridges or meshed links--Atlantic has been providing commercial WiFi for 15 years. Call us for your next project. - Kevin Dowd

Bitcoin in 2021

- Posted in Latest Technology by

enter image description hereThere is a limit to the number of bitcoins--21 million in total, with about 2 million left to be mined. Presently, there are about 900 new bitcoins per day. As more are found, the hash target becomes increasing harder to hit and it becomes asymptotically harder to find additional bitcoins. It will be the year 2140 before the last one is finally found. There's investment and reward in the effort: Russia just took delivery of a 70 MW crypto mining farm. It is said that almost 65% of the cryptomining resources are in China. Bitcoin broke $50,000 on Tuesday. Elon Musk bought $1.3 billion in bitcoin a couple weeks ago, when it was already over $40,000. Projections are for $500,000 per bitcoin.

The US dollar has been the world's reserve currency for a century, even as the US has heaped on debt for wars and social programs. Other alternatives--the euro or the Yuan each have problems that continue to favor the dollar; the Euro zone is crumbly and has debts, too; China's currency has been tightly controlled by the government and there is a trust deficit for Chinese policy. This past year, with the United States' COVID 19 response, the US debt became larger than its economy. This makes the dollar just a little bit more risky as a reserve currency.

In January, it became illegal for you to personally trade in cryptocurrencies if you are a resident of Nigeria. The ban expands a list that includes China, Iran, Bolivia, Nepal, Bangladesh, Ecuador and Morocco. Cryptocurrency trading is still allowed in the US, but you are now required to indicate whether you have traded in cryptocurrencies on your tax return. The public argument against cryptocurrencies is that crypto is tender for criminal activities, and that it is difficult to track and tax. Alternative Central Bank Digital Currencies are likely to be introduced and sanctioned instead. They can be tracked. They will be centrally managed, unlike Bitcoin. They're digital fiat money. Bitcoin isn't.

Why do China, Russia, North Korea, (possibly) the United States want to be dabbling in Bitcoin? As is the case for you and me, there's a speculative upside. But there is also a possibility that Bitcoin will become a bona fide reserve currency--a place to park value. The prices will stabilize. Fiat currencies will weaken as money is converted into crypto. Like a game of musical chairs, when the music stops, some countries and individuals will have larger shares of the reserve currency. And if Bitcoin becomes that important, the effort spent gathering up Bitcoins today will affect the wealth of nations tomorrow.

Crypto trading rides on top of digital networks, and these are subject to tampering. I will address the network vulnerabilities for crypto trading in a future blog entry.

-Kevin Dowd

AI in your Network

- Posted in Latest Technology by

AI in your network

There's a scene in "Mars Attacks" where Pierce Brosnan, playing the scientist, dissects one of the dead Martians. He pulls some red jelly from the brain and says "Curious." It captures one of the problems with what we're calling AI today because like the components of an AI, though the jelly can do amazing things, you really can't look at it and say why.

The term Artificial Intelligence has changed its meaning many times over the last 50 years. It currently refers to systems that can do feature correlation and extraction from training data sets--often very large ones. For example, training a system to recognize a face (like your phone does) is an exercise in presenting exemplar data to the system along with reinforcing feedback when a face is dsiplayed. This is called supervised training. After seeing enough faces and getting the green light for each one, the system can learn a correlation and provide the green light on its own when a new face is presented.

enter image description here

The systems and theory for this kind of AI have been around since the 1960s--even the 1950s. A well-known example is called a multi-layer perceptron, or neural network. The original objective was to imitate the way neurons interconnect and to reinforce pathways in the presence of specific stimuli. The neural network would be made of two or often three layers--an input layer, a hidden layer and an output layer. Inputs to a given layer would add or subtract from one another in accordance with weights (multipliers). The weights would be "learned" during the training process. They were the jelly in the Martian's brain.

The neural network is an analog model of how neurons might work, and some analog implementations have been created. On a digital computer, however, it is represented by matrix arithmetic. Matrix arithmetic can often be parallelized so that multiple operations occur at the same time. This makes it fast—very fast--given suitable hardware.

In the last ten years, supercomputers have been teased up, not from liquid-cooled Crays or hypercubes, but from very small-featured computing devices like field-programmable gate arrays or graphics cards. In fact, Nvidia--the company that makes the some of the best graphics hardware--is also the world's leader in supercomputers. That's because Nvidia graphics cards are hyper-parallel, and they can be programmed to do AI just as well as to perform pixel-based ray tracing. Nvidia is currently building what will be the world's largest supercomputer in Britain.

In the network business, you see "AI" being applied to network analytics, intrusion detection and diagnostics. The systems are the product of supervised and unsupervised training that look to correlate events and to recognize unique patterns—such as a network intruder. Part of the reason why vendors are pushing the cloud so vigorously is in addition to being the customer, you are part of the product; your network experiences contribute the training sets for "AI" analytics. They need you to participate in the cloud, too.

Given copious compute power, the quest to make AIs more capable is correlated with making them deeper--adding more layers, more sophisticated back-propagation and weight adjustment. "Deep learning" makes the AI more powerful, but it also makes it subject to pitfalls that are endemic to higher order curve-fitting. That is, when the input is similar to training data, the results can be excellent. In the face of unfamiliar input, deep AI can be wildly unpredictable. "Curious," as Pierce Brosnan would say. And it’s coming to your network.

-Kevin Dowd

Why is Data Security Information so Noisy?

- Posted in Network Security by

Why is DATA SECURITY so noisy?

We’re always hoping for an easy score. But network traffic is the manifestation of intents; the traffic is there because someone or something has a goal. It might be exchanging email, sharing data or hacking you. In almost all cases, determining the goal by looking at the traffic requires a priori knowledge or assumptions about what the traffic means; it requires information that isn’t found in the traffic itself.

The object of a Security Event Manager (SEM) or an IDS/IPS is to derive knowledge from traffic data, and then reduce it to a score. The less knowledge in the process, the less valuable the score will be, which is the reason that administrators have to investigate false positives from network intelligence devices. Heuristics and signatures are two approaches to draw knowledge from data. Anomaly detection pulls patterns from data with little increase in knowledge.


Let’s say that you own a restaurant, and it has a security system. You get notified that the front door is open. What can you reasonably infer?

enter image description here

To make the simple observation that there might be a break-in in progress, we apply heuristics to data; we have derived knowledge. In the end, we can say that someone is probably breaking it.


Signatures simplify event recognition for known patterns. They condense multivariate input—essentially the meat of heuristics—into a decision that creates the score. For the restaurant, a signature that said:

“the door is open and it is after hours”

would provide the same result as heuristics. Heuristics are more flexible, but signatures are efficient to process; they’re quick. Of all the possible ways to apply knowledge to complex events, signature recognition probably has the most going for it. But if a signature isn’t sufficiently specific, it can generate noise. Too specific and it might not fire.


Anomaly detectors watch patterns in traffic to see if they look different than training data. The more complex the input, the more complex the model, and the less sanguine its approximation will be when presented with a novel situation; higher order curve-fitting is prone to false positives by its nature.

enter image description here

The Semantic Gap

Semantic derivation is the process of increasing knowledge about the event. Semantic reduction is how we produce the score. When we combine anomaly detection, signatures and heuristics and semantically reduce them, the worst of the uncertainty in each comes out. This suggests that the more semantic reduction system that takes place in a SEM, the noisier the results will be.

What does provide reliable results? Simple metrics such as checksums on files and recognition of unplanned reboots unambiguously tell you something significant has happened, albeit late. A SEM will highlight activity you would have otherwise missed. But one can never eliminate the noise; there are semantic gaps between what is happening on the network, what the SEM understands, and the indication you receive on back-end; you’re much smarter than your network intelligence tools can ever be.

Reducing the Semantic Gap

Newer, AI-based anomaly detection systems (trained and untrained) improve the opportunities for nuanced event detection, and also for more false positives. Improvements come from coupling the output to intent, thereby reducing the semantic gap. The Mitre ATT&CK knowledge base provides a working framework for this approach. If one views the events that a SEM collects as the manifestations of intent, one can understand a breach for what it is. For instance:

  1. There is anomalous traffic from an internal computer
  2. The computer makes an outbound connection (command and control)
  3. The computer is probing the internal network; the outbound connection remains active

The numbered events, taken together, show a pattern of activity that predicts this machine has been compromised. Each one of them would be reason enough to wake the security guy in the middle of the night. Recognizing what they mean in combination reduces the semantic gap, and gives the security guy (or an IDS/IPS) a higher quality assessment of the circumstances.


Vectra, a company out of California, provides a product that combines AI with higher-level intelligence to reduce the semantic gap. It rides on top of network taps, within cloud deployments and even inside Office365. Vectra’s Network Detection and Response platform, Cognito, has been demonstrating superior results in red team testing. Recognizing the importance of reducing the semantic gap, Atlantic is helping bring Vectra to its customers. Visit for more information on the products or contact Atlantic Computing (

Copyright © 2021, Atlantic Computing Technology Corporation

Page 1 of 2