
	Home > Ask the Security Experts > Information Security Threats Questions & Answers > How well can network behavior anomaly detection (NBAD) products detect rootkits and malware?

Ask The Security Expert: Questions & Answers

EMAIL THIS

How well can network behavior anomaly detection (NBAD) products detect rootkits and malware?

EXPERT RESPONSE FROM: Ed Skoudis

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 11 April 2007
I've read that worms can now be tracked down by analyzing their connection/packet rates. Are these non-signature-based techniques effective and are they any different than network behavior anomaly detection (NBAD) products?

EXPERT RESPONSE
Connection and packet-rate analysis is a subset of the overall approach known as network behavior anomaly detection (NBAD). Rootkits and other forms of malware have become so good at stealthily burrowing deep into end-user systems that organizations have come to rely on the help of network-based detection resources.

When systems are infected with malware, their communication patterns usually change in a detectable fashion. Consider this example:

Client machines usually talk with servers. Servers very seldom initiate a connection back to clients, except for occasional services like File Transfer Protocol (FTP) not used in passive mode. Also, clients almost never communicate with other clients, and servers have only a little communication with other servers. Hence you have a nice pattern that automated tools can check for.

When a worm or bot infection occurs, there is often a huge uptick in client-to-client session initiation. As you point out in your question, there might be a major rise in the bandwidth consumption of one or more infected machines. There also may be a hike in the number of connection initiation attempts. Each of these measurements is helpful and can be detected by various NBAD products. Network-based intrusion prevention systems, security information management (SIM) products, some intrusion detection systems, as well as distributed denial of service (DDoS) monitoring products all offer such capabilities.

Beyond these products, there are large-scale, Internet-based projects that look for network anomalies. One of the most prominent is the DShield project, administered by the SANS Internet Storm Center. This project has over 45,000 volunteer-operated sensors distributed around the Internet. The sensors gather data, make it anonymous and send it to collectors. Software and people then analyze the resulting information, which includes communicating sessions and the ports they use. The top 10 worldwide rising ports, as well as various unusual session activity, are plotted and updated every day on the DShield Web site.

More information:

Learn which security information management tools can spot network anomalies.

Compare signature detection with anomaly detection.

Sound Off! -

Be the first to post a message to Sound Off!

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Information Security Threats
	What are the dangers of cross-site request forgery attacks (CSRF)?
	Should social engineering tests be included in penetration testing?
	What kind of data is compromised during a Google hack?
	Best practices for using restriction policy whitelists
	Defining mobile device security concerns
	What security measures can be taken to stop crimeware kits?
	What software development best practices can prevent input validation attacks?
	What is the most secure way for application developers to manage cookies?
	Is there a market for standalone antivirus products?
	Can 'herd intelligence' effectively stop malware?

Network Behavior Anomaly Detection (NBAD)

Is centralized logging worth all the effort?

How will the centralized logging of network flow data benefit an enterprise?

Can reputation services be applied to network security?

Sourcefire, Nmap deal to open vulnerability scanning

Sourcefire expands strategy in effort to leverage its network real estate

Combining NetFlow analysis with security information management systems

Security information management finally arrives, thanks to enhanced features

Are honeypots safe to implement in a router?

How to protect against port scans

Extensive coverage in a single box

Security Event Management

Is centralized logging worth all the effort?

Product review: Novell's Sentinel 6.0

Challenges behind operational integration of security and network management

Log management push has its roots in compliance

SIMs

Prospective Buyers Want Answers

Security information management finally arrives, thanks to enhanced features

A new awareness for SIMs

Recent Releases

WatchGuard offers 'excellent' UTM product

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

network behavior analysis (SearchSecurity.com)

network behavior anomaly detection (SearchSecurity.com)

nonce (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy