This is a continuation of the earlier posts starting with this one: http://ravinote.blogspot.com/2020/09/best-practice-from-networking.html
data by type: Networks usually don't interpret data in transit. The data appears as a sequence of bits. Only the header information of the packet is helpful to classify the data. But the packet does not have to be those from networking protocols only. Data types can also be used with data to enhance the data and many message libraries like protobuf also make use of it. This helps with the interpretation and validation of data patterns at either end.
Intrusions are detected by activity or policy violations. Intrusion can occur at the network level or at the host level. In either case, changes to the typical activity are detected and reported. At the network level, the monitoring is for network traffic against a known set of attacks. At the host level, the monitoring is for important files that may be open and used or packets at the host level only. Systems with response capabilities are referred to as intrusion prevention systems.
The methods of intrusion detection vary based on signatures or anomalies. The signature-based intrusion detection checks for patterns or sequences used by malware. The anomalies based intrusion detection checks for new or unknown attacks by comparing it to a model of normal activity. Since there may be a lot of noise, the precision and recall are tuned to the model by utilizing the parameters.
The intrusion prevention mechanisms can monitor the entire network, the wireless network, the traffic for anomalies such as a distributed denial-of-service attack or monitor a single host. The detection methods involved include signature-based detection, statistical anomaly-based detection, and stateful protocol-based detection.
The opensource libraries for intrusion detection have become popular with the OSSEC project
No comments:
Post a Comment