Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

New IPS Architecture Uses Network Flow Data for Analysis
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
7/24/2019 | 2:58:10 AM
Interesting article, there was someone doing this in the past
10 years ago, there was a company called "Enterasys", the product they put together was called "NetSight Atlas". Extremenetworks bought the company; they provided similar capabilities as mentioned where they used algorithms and policies provided by the vendor to mitigate attacks without user intervention (literally thousands). There are other systems doing similar work called Extrahop but it is not an IPS system, it does not make a decision but it can help the user to make a more informed decision.

Extrahop Security Solution

When the actor tried to access the network, their session was moved to a honeypot or an area on the network that was external to the production environment. The application would pull information from varying switches, IDS, routers and firewalls; it would make a determination if the packets were suspect; the system would isolate that traffic from other parts of the network even if the switches were different (not all functionality but enabled certain protection mechanisms). The solution was light-years ahead of its time. They used all aspects of flow, network, log data; the system would create a baseline and identify anomalies based on traffic patterns, use and application characteristics. The system would effectively block or move individual ports like SMTP (25, 110), Web (80, 443), RPC (111), SMB/CIFS (135-139) to honeypots if the policies identified the session as being problematic. It would record, report and notify of any changes before the individual came into the office.

"The challenge with NetFlow is that it is very low resolution," says Chris Morales, head of security analytics at Vectra, a company that uses artificial intelligence as the basis for its cybersecurity detection. "Think of trying to repaint the 'Mona Lisa' from a 1970s Polaroid photo. The resolution is too low to detect hidden threats with high efficacy."

So I agree that this can done, but one of the concerns is based on target movement (the bullseye is constantly adjusting). So there needs to be intelligence built in the application because the different attacks can be manipulated or changed on the fly; also by tying together similar attacks, based on region and type, faster processing mechanisms can be employed to address similar problems (i.e. Polymorphic APTs or different methods used by nation states).

Algorithms are good in certain regards but since the variants or attacks are morphing using varying techniques, does the algorithm allow for a sliding scales (adjustment), that is why machine learning will be essential in evaluating attack vectors and their level of penetration (the next level of cybersecurity evolution).

Attack Vector Types

As a result, the tools should be able to unravel traffic flows (learn), user access (normal behavior), remote penetration techniques (scanning) and varying interrelated traffic patterns (correlational analysis, similar to big data), this will be a game changer. This is a major task, not to say that is cannot be done, but there are considerations outside of the algorithm that should be evaluated and improved as attacks improve.


Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...