No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - Network Management and Monitoring

S2720, S5700, and S6720 V200R013C00

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, RMON2, LLDP, Performance Management, iPCA, NQA, Service Diagnosis, Mirroring, Packet Capture, NetStream, sFlow, TWAMP Light, NETCONF, ECA, Intelligent Video O&M, eMDI, and Network Deception.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding ECA

Understanding ECA

Basic Concepts of ECA

  • Intelligent Awareness Engine (IAE)

    An IAE is an integrated content security service processing framework and a set of security features or components. On a switch, the IAE identifies applications, detects encrypted traffic, and works with the big data security analytics function of the CIS server to implement security protection.

  • SA

    SA serves the following purposes:
    • Identify whether traffic of an application is encrypted, obtain application information of the traffic, and collect and display statistics on the traffic through the service awareness signature database (SA-SDB) embedded in the switches. (If traffic is encrypted, only the protocol type, for example, HTTPS, can be identified.) Therefore, the SA-SDB must be updated in a timely manner to improve the SA capability of switches.
    • Identify application-layer information in a packet. The application-layer information is vital for generating metadata and analyzing encrypted traffic.
  • Encrypted traffic identification

    If traffic of an application is identified as encrypted, the encrypted traffic needs to be further analyzed to extract the following encrypted traffic features without decrypting the traffic: TLS information (cipher suite, extended fields, and server-returned certificate), TCP information (byte distribution, packet length change, and interval between received data packets), DNS information (number of returned IP packets and requested IP domain names), and other traffic features.

  • ECA traffic probe

    The traffic probe is an information collector that selectively collects network-, transmission-, and application-layer information from traffic. The ECA traffic probe is responsible for collecting encrypted traffic features extracted through SA and encrypted traffic identification, generating metadata using the extracted information, and sending the metadata to the CIS server using the configured parameters for the interconnection between the switch and CIS server.

  • CIS server

    The CIS server establishes a threat detection model using big data analytics and machine learning to analyze the metadata reported by switches and identify abnormal traffic and behavior. There may be differences between normal and malicious encrypted traffic in terms of the encryption algorithm, byte distribution, data packet time sequence, and other aspects. These differences can be extracted by the CIS server using the machine learning algorithm model to distinguish between normal encrypted traffic and malicious encrypted traffic.

ECA Implementation

As shown in Figure 14-2, after network traffic enters the switch, the switch distinguishes between encrypted traffic and unencrypted traffic by obtaining and collecting statistics on application information of the traffic using SA. The switch then further identifies the encrypted traffic by extracting encrypted traffic features through the ECA traffic probe and sending the features to the CIS server for malicious traffic detection.

Figure 14-2  ECA implementation
Updated: 2019-04-20

Document ID: EDOC1100065680

Views: 57911

Downloads: 514

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next