Several methods are used to detect malicious activity using signatures designed to send alerts on specific attacks and mutations of attacks. Signatures are difficult to create at the best of times, however, and without a thorough understanding of the vulnerability, signature creation is less effective. Signatures also can be based on common attack indicators. For example, they may search for binary traffic where only ASCII traffic should be; look for anomalous packets, such as telnet traffic on a high-number port; or target malformed packets. Of course, packets that match these fuzzier signatures don't always indicate an attack: For instance, the AOL Instant Messenger client for Mac OS X doesn't send a host: header on its HTTP/1.1 requests, which may trigger a protocol-anomaly alert.
There are many other examples of legitimate anomalous traffic that might trigger alerts, all of which reinforce our contention that before you enable intrusion prevention, you have to be confident that no legitimate traffic will be blocked. Though interesting, protocol-anomaly detection is still too immature for us to place much trust in its ability to accurately differentiate between legitimate and illegitimate traffic.
DoS (denial of service) alerts are generated by traffic that violates an adjustable but predetermined traffic rate, such as 100 unacknowledged TCP sessions in one second. Detailed knowledge of what constitutes normal traffic on your network is essential to define thresholds properly. Alternatively, DoS, or distributed DoS, detection is based on statistical analysis of common types of traffic. After a learning period, the NIP has a picture of "normal" traffic. Bursts that are statistically significant may indicate a DoS or DDoS attack. Or, they may just indicate an abnormal spike in traffic, as when a Web site is "Slashdotted."
Traffic-analysis intrusion-prevention products, like those from Arbor Networks, Lancope and Mazu Networks, monitor traffic patterns and capture snapshots of what constitutes normal traffic--traffic rates, which computers make connections to other computers, and so on--creating a picture of network behavior.
Normal traffic also can be defined as part of policy enforcement. If your organization's policy is to disallow telnet anywhere on the network, instances of telnet being used constitute, at minimum, a breach of policy.
To realize the benefits of cloud-native software, an application must actually be cloud-native—designed to run in the cloud, interacting with disaggregated cloud services, fully manageable as code—to deliver the expected benefits.
By combining resources and expertise, the AI-Enabled ICT Workforce Consortium will offer a blueprint for how industries can adapt to an AI-dominated future.
IT leaders should heed the guidance of cybersecurity insurance providers who think businesses should prioritize security education, incident preparedness, regular internal audits, and ongoing vulnerability scanning and patching.
