Environmental Engineering Reference
In-Depth Information
•
Protocol analysis
—Protocol analysis is the process of capturing,
decoding, and interpreting electronic traffic. The protocol analy-
sis method of network intrusion detection involves the analysis of
data captured during transactions between two or more systems or
devices and the evaluation of these data to identify unusual activ-
ity and potential problems. When a problem has been isolated and
recorded, potential threats can be linked to pieces of hardware or
software. Sophisticated protocol analysis will also provide statistics
and trend information on the captured traffic.
•
Traffic anomaly detection
Traffic anomaly detection identifies poten-
tial threatening activity by comparing incoming traffic to normal
traffic patterns and identifying deviations. It does this by comparing
user characteristics against thresholds and triggers defined by the
network administrator. This method is designed to detect attacks
that span a number of connections, rather than a single session.
•
Network honeypot
—This method establishes nonexistent services to
identify potential hackers. A network honeypot impersonates ser-
vices that do not exist by sending fake information to people scan-
ning the network. It identifies attackers when they attempt to connect
to the service. There is no reason for legitimate traffic to access these
resources because they do not exist; therefore, any attempt to access
them constitutes an attack.
•
Anti-intrusion detection system evasion techniques
—These methods are
designed to detect attackers who may be trying to evade intrusion
detection system scanning. They include such methods as IP defrag-
mentation, TCP streams reassembly, and deobfuscation.
These detection systems are automated, but they can only indicate pat-
terns of activity, and a computer administer or other experienced individual
must interpret the activities to determine whether or not they are potentially
harmful. Monitoring the logs generated by these systems can be time con-
suming, and there may be a learning curve to determine a baseline of nor-
mal traffic patterns from which to distinguish potential suspicious activity.
SCADA
On April 23, 2000, police in Queensland, Australia, stopped a car on
the road and found a stolen computer and radio inside. Using commer-
cially available technology, a disgruntled former employee had turned
his vehicle into a pirate command center of sewage treatment along
Australia's Sunshine Coast. The former employee's arrest solved a mys-
tery that had troubled the Maroochy Shire wastewater system for two
