Part Two: Detection Methods

In Part One of this series, we began our discussion by looking at how perimeter defenses at Fort Knox could inspire network security architecture. As we looked at firewalls and network access control (NAC) solutions, we noted how these necessary components, while effective, require additional steps to cover gaps in security coverage. Over the next several installments, we will discuss how network monitoring technologies shore up protection. We will start our discussion by evaluating the methodologies that can be applied to ferreting out network attacks.

Two Buckets

When examining network traffic for nefarious activity, there are two major schools of thought. The first relies on examining the composition of the traffic, and the second relies on examining the behavior of the hosts.

Examining the Composition

The first method of detecting threats relies on examining the characteristics of the agent. In physical security, examples include analyzing patterns in DNA, fingerprints, chemical composition and physical parameters. In network security, it consists largely of examining patterns in data transmissions or computer files.

Signature-Based Detection

Fort Knox, like other military installations, has a variety of threat detection methods that rely on examining the characteristics of the object. Bomb sniffing dogs are taught to signal on a specific scent. Fingerprint scans and facial recognition can identify known enemies.

In network security, methods to detect attacks that rely on knowing the specific composition of an attack are collectively known as “signature-based detection.” Signature-based detection is often preferred in both physical and network security because it gives a concrete answer as to what exactly the exploit is. The barking bomb dog confirms the presence of explosives and would give cause for purposeful incident response. In network security, exact patterns for attacks such as the Conficker worm or “Web server vulnerability X” can be created to inform operators of the exact attack type.

However, signatures are limited in their ability to detect emerging and unknown threats because they require examination of the exploit to create the signature (e.g., you can’t match a fingerprint until it is on file). This makes signature-based detection an ineffective approach against early attackers, but it becomes increasingly effective as the exploit vector ages.

Heuristic Detection

Packages coming onto secure facilities are often run through an X-ray machine where the operator looks for suspicious (though not necessarily nefarious) characteristics in the contents. For example, he/she may look for sharp objects (which could just as easily be a pen as a knife).  

In network security, looking for threats by identifying potentially (though not necessarily) malicious characteristics is known as “heuristic detection.” This type of detection relies on variable or partial signature matches, but is unable to provide the concrete exploit explanation that signature-based detection can.

Behavioral Detection

The second school of detecting threats focuses on the behavior of the agent. This is referred to as behavioral detection.

Anomaly Detection

At Fort Knox, if a patrol doesn’t report in at its regular interval, the watch commander will note this as a deviation from normal behavior and begin an investigation. If a vendor arrives in a different style of vehicle than has been noted in the past, it will also be flagged as an anomaly.

Detecting threats by observing activity that is a deviation from normal (baseline) behavior is known as “anomaly detection.”  In network security, examples of anomalies include computers using or hosting new network services, exceeding normal bandwidth usage or communicating with new types of external servers. This detection approach provides the earliest opportunity for detecting an emerging or advanced threat, but requires skilled operators and deep data/intelligence visibility to effectively foil the attack.

Suspicious Activity

A second component of behavioral detection is observing suspicious activity. When personnel of Fort Knox, whether insiders or outsiders, begin to examine door locks, copy documents or go into unauthorized regions of the facility, red flags are immediately thrown.

In network security, suspicious activity can include scanning for hosts on the network (often a sign of a network worm), communicating with known “bad” external hosts (such as botnets) or attempting excessive, unnecessary connections to network resources (an indicator of a denial-of-service attack). While a signature may not yet exist, incident response can begin immediately because there is no good reason for the activity (much like observing someone trying to beat in a secure door). This allows for much quicker response times when handling emerging threats. It also decreases the time it takes for network analysts to be aware of a problem on the network.

Wrap Up

In this second installment, we have looked at two types of methods used for detecting threats on the network: signature-based and behavioral. To recap, signature-based detection focuses on the characteristics of the agent, while behavioral detection analyzes the activities of the agent. In Part 3 of this series, we will take a look at the different types of payloads that can be delivered through network attacks.