Home > Ask the Security Experts > Expert Archive: Information Security Threats Questions & Answers > Can network behavior anomaly detection (NBAD) products stop rootkits?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Can network behavior anomaly detection (NBAD) products stop rootkits?

Ed Skoudis, past SearchSecurity.com expert EXPERT RESPONSE FROM: Ed Skoudis, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 11 April 2007
I've read that worms can now be tracked down by analyzing their connection/packet rates. Are these non-signature-based techniques effective and are they any different than network behavior anomaly detection (NBAD) products?

>
Connection and packet-rate analysis is a subset of the overall approach known as network behavior anomaly detection (NBAD). Rootkits and other forms of malware have become so good at stealthily burrowing deep into end-user systems that organizations have come to rely on the help of network-based detection resources.

When systems are infected with malware, their communication patterns usually change in a detectable fashion. Consider this example:

Client machines usually talk with servers. Servers very seldom initiate a connection back to clients, except for occasional services like File Transfer Protocol (FTP) not used in passive mode. Also, clients almost never communicate with other clients, and servers have only a little communication with other servers. Hence you have a nice pattern that automated tools can check for.

When a worm or bot infection occurs, there is often a huge uptick in client-to-client session initiation. As you point out in your question, there might be a major rise in the bandwidth consumption of one or more infected machines. There also may be a hike in the number of connection initiation attempts. Each of these measurements is helpful and can be detected by various NBAD products. Network-based intrusion prevention systems, security information management (SIM) products, some intrusion detection systems, as well as distributed denial of service (DDoS) monitoring products all offer such capabilities.

Beyond these products, there are large-scale, Internet-based projects that look for network anomalies. One of the most prominent is the DShield project, administered by the SANS Internet Storm Center. This project has over 45,000 volunteer-operated sensors distributed around the Internet. The sensors gather data, make it anonymous and send it to collectors. Software and people then analyze the resulting information, which includes communicating sessions and the ports they use. The top 10 worldwide rising ports, as well as various unusual session activity, are plotted and updated every day on the DShield Web site.

More information:

  • Learn which security information management tools can spot network anomalies.
  • Compare signature detection with anomaly detection.


    • BROWSE BY TAG
    Network Intrusion Detection and Analysis,   Network Behavior Anomaly Detection (NBAD),   Enterprise Network Security,   Security Event Management,   Expert Archive: Information Security Threats,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Network Behavior Anomaly Detection (NBAD)
    Trend Micro to acquire Third Brigade for virtualization, cloud security
    Use BotHunter for botnet detection
    Is centralized logging worth all the effort?
    How helpful is the centralized logging of network flow data?
    Can reputation services be applied to network security?
    SIM and NBA product combination is powerful
    Sourcefire, Nmap deal to open vulnerability scanning
    Sourcefire expands strategy in effort to leverage its network real estate
    Combining NetFlow analysis with security information management systems
    Security information management finally arrives, thanks to enhanced features

    Security Event Management
    Network traffic collection, analysis helps prevent data breaches
    Best Security Information and Event Management Products
    Understanding PCI DSS compliance requirements for log management
    Data breach notification legislation: What info must be released?
    How to prevent a denial-of-service (DoS) attack
    Mature SIMs do more than log aggregation and correlation
    The top 5 network security practices
    SIMs tools and tactics for business intelligence
    SIEM: Not for small business, nor the faint of heart
    Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring?

    Expert Archive: Information Security Threats
    The telltale signs of a network attack
    Will Google Chrome enhance overall browser security?
    Are there antivirus suites that pick up more than just run-of-the-mill viruses?
    What tools can a hacker use to crack a laptop password?
    Are social networking sites an easy target for malicious hackers?
    What are the dangers of cross-site request forgery attacks (CSRF)?
    Should social engineering tests be included in penetration testing?
    What kind of data is compromised during a Google hack?
    Best practices for using restriction policy whitelists
    Defining mobile device security concerns

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    network behavior analysis  (SearchSecurity.com)
    network behavior anomaly detection  (SearchSecurity.com)
    nonce  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts