Prevent hackers from attacking by analyzing IPS network behavior

Prevent hackers from attacking by analyzing IPS network behavior Picture 1 Network Management - In this article we will show you two methods to prevent network attacks: signature-based methods and network behavior analysis methods based on anomalies (NBA).

Successful network attacks have become so trivial that they are almost no new news. Hackers often break into commercial sites to steal credit card information or prefer to break into defense ministry sites to search for top secret military plans. In addition, denial of service (DoS) attacks also make authenticated users unable to access sites. Meanwhile, intrusion prevention systems and firewalls in corporate networks often indicate that there are hundreds of attacks every day.

To prevent successful attacks, the two main detection methods introduced were: digital signature-based methods and network behavior analysis (NBA).

Intrusion detection and protection based on digital signature analysis

Digital signature-based systems are especially effective for previously discovered attacks. They can be installed quickly and effective immediately. These systems will check incoming packets and compare content within them with a list of previously known attack mechanisms. Reports are made understandable because each incident indicates a type of attack being detected.

Digital signature-based systems are quite effective with previously known attacks, but they cannot detect zero-day attacks. Hackers understand that any new attack will be quickly detected and countermeasures will be approved by intrusion prevention firms. So they often launch attacks on a large number of sites as soon as a new attack method is developed.

Because of this, digital signature-based systems must be updated continuously. Firms must select and test attack reports worldwide. They also need to collect data from products installed at customer sites. When a customer sees an attack, its employees will analyze it, find a way to fix and distribute upgrades to all customer sites. However, when companies can detect new attack methods and give advice quickly, the first sites that are attacked will certainly be compromised.

Intrusion detection systems are based on anomalies

Behavior-based attack detection systems will detect network behavior that does not match the expected behavior pattern. The system will be configured, by product, with information on common behavior patterns. For example, applications can legally access a database record at a time. If the intrusion detection system detects access to a large number of records, they will be suspected of being an attack. Likewise, if a user with access to a limited set of records begins to try to access other types of information, then their workstation may have been infected.

Unlike digital signature-based systems, zero-day attacks can be detected because attacks do not have a valid identifiable pattern with an anomaly-based intrusion system. However, the disadvantages of these systems must be carefully configured to recognize the desired behavior patterns. Configurations must be updated when newly added applications or existing applications are changed.

Configure IPS to prevent sophisticated attacks

Attack-style attacks spread multiple commands, such as spreading HTTP messages in web attacks, both of which cause difficulties for both systems. With digital signature-based systems, signatures can be spread by a series of commands without any data matching the attack profile. Anomaly-based systems may fail to detect attacks and target some servers at the same time. A string sent to each host may appear valid but may also puncture applications on servers.

In addition to that difficulty, not only can all packages enter the network at the same point or gateway. Although enterprise networks often maintain multiple ports to access the Internet with intrusion detection systems at each port, almost all ports are inadequate.

Besides viruses can get into your company's network through locations other than ports. Employees can bring laptops used with their home networks to the company. When they reconnect this laptop to the local network, the virus can get into the corporate network without going through the Internet portal. Wireless networks also have other vulnerabilities and are hard to detect when implementing an intrusion prevention system. Some hacker outside is attacking through wireless LAN (WLAN) can also enter the network port.

Therefore intrusion detection systems must also be installed at the main points throughout the network (like a switch connecting network ports to the server, where applications run or connect to the base server. data) to detect these attacks. Systems must exchange information with each other and evaluate reports from multiple sources such as routers and server logs to correlate a sequence of packets to detect an attack.

While digital signature-based systems can be installed quickly and executed immediately, designing, configuring and installing an anomaly-based system is quite complex. In the next part of this series, we will walk you through the steps involved in configuring and installing an anomaly-based intrusion detection system.