China
Africa
Explore chapters and articles related to this topic
Malware Detection and Mitigation
Published in Nicholas Kolokotronis, Stavros Shiaeles, Cyber-Security Threats, Actors, and Dynamic Mitigation, 2021
Gueltoum Bendiab, Stavros Shiaeles, Nick Savage
This approach is widely used by commercial antivirus companies like Kaspersky, MacAfee, Avast, Bitdefender, Norton, AVG, etc., and most common IDSs. Signature-based IDSs work in a very similar way to most antivirus systems. They maintain a database of known attack signatures and compare incoming traffic to those signatures. The most popular signature-based detection IDSs are Snort and Suricata. Snort is one of the best free and open-source tools available for network-based intrusion detection and prevention system (NIDS/NIPS). This tool acts as the second level of defense in a target network as it sits behind the firewall. The intrusion detection engine of Snort uses a signature-based approach to identify potential attacks by capturing the network traffic and comparing it to a database of previously recorded attack signatures (i.e. rules written by the user) [26]. It logs the traffic on the network and generates alerts against malicious activities to the network administrator. A Snort rule (signature) defines unique characteristics in one or a succession of network packets to identify malicious activity. For example, C&C traffic between a compromised device and a C&C server. However, malware authors usually encrypt the network traffic to evade signatures and make the detection process more complicated.
Abnormal network packets identification using header information collected from Honeywall architecture
Published in Journal of Information and Telecommunication, 2023
Kha Van Nguyen, Hai Thanh Nguyen, Thang Quyet Le, Quang Nhat Minh Truong
We have deployed a data collection model based on Gen II Honeynet architecture (proposed by Provos and Holz (2007)), with a design as exhibited in Figure 2 including three components: Honeypots are designed to attract attackers using older operating systems, frameworks, and libraries with vulnerabilities. Moreover, the Honeypot is an effective tool to monitor and save traces of attacks, helping scientists and network administrators catch the system's security holes.Honeywall is a transparent Gateway for highly interactive Honeypots in the Honeynet and is undetectable by an attacker. Honeywall performs logging and control of access to and from Honeypot by Snort. Snort is an open-source network penetration detection system capable of performing real-time network traffic analysis and network packet logging using Internet protocols. In addition, it can perform protocol analysis, aggregation, or content search. Moreover, it can detect many types of attacks and probes, such as Buffer Overflow, Stealth Port Scan, CGI Attack, SMB Probe, OS Fingerprinting Attempts, etc.Management connects SSH to Honeywall to retrieve analytical data. In addition, an SSH connection makes remote Honeywall access secure.
Insider Intrusion Detection Techniques: A State-of-the-Art Review
Published in Journal of Computer Information Systems, 2023
In addition to these discussed techniques for higher-layer event-based detection, lower-layer network data is also analyzed to find out the anomalies in the network. Since the profiling data are lower-layer network data, these techniques are employed to find the network layer attacks in the organizational network. It can be a deep packet inspection or a protocol behavior profiling-based detection. Snort employs a signature-based packet flow-based detection. Anomaly-based techniques also detect network packet flow anomalies using the methods Hidden Markov model,85 Bayesian network,86 PGNIDS,87 E-NIPS,88 game theory and Fuzzy logic model for DDoS in wireless LAN,89 ensemble machine learning technique for WiFi networks90 and many more evolved. Deep packet inspection was also found successful in mimicry attack detection in a cloud environment.91
Integration of sparse singular vector decomposition and statistical process control for traffic monitoring and quality of service improvement in mission-critical communication networks
Published in IISE Transactions, 2018
DPI examines the contents of packets passing through a so-called inspection point within a network, and searches for anything out of the norm. Although DPI can be used to detect QoS problems, its major utility is to ensure network security by detecting instructions, viruses, spams, and non-compliance of contents with regulation. Various DPI systems and techniques have been developed. For example, SNORT (Roesch, 1999) is a well-known open-source system that can detect various types of worms, attacks, and probes using protocol analysis, and content searching and matching. Smith et al. (2008) proposed a DPI technique that uses regular expression with extended finite automata. Focusing on QoS, Cascarano et al. (2011) proposed and validated optimizations for DPI techniques to accelerate network monitoring and traffic classification on high-speed networks. There are several drawbacks in using DPI for QoS:DPI often requires costly dedicated devices to track, unpack, and analyze real-time packets.DPI can be time-consuming, especially with large-sized packet contents (e.g., audio, video), which makes it unsuitable for real-time QoS monitoring.As DPI examines packet contents, there is a profound concern about privacy.Due to the privacy concern, more and more network protocols such as HTTPS, SFTP, and SSL have been designed to protect private contents from being examined by DPI.