Successful detection of network intrusions is a significant challenge for network security professionals and the systems they are responsible for protecting.
Many available intrusion detection systems (IDSs) rely on attack signatures to detect attacks against nodes on the network. Signatures are created from information learned about a specific attack that has been detected and evaluated at an earlier time. An IDS that uses only signature-based protection cannot detect a “zero-day” attack because the attack’s signature is not defined in the IDS. A traditional IDS also performs only a limited inspection of network traffic and provides the analyst with very limited information about the attack.
Other IDSs use behavioral analysis of network traffic. If activity on the network occurs that is out of the range of normal activity, the IDS alerts the analyst that a possible attack is occurring. Both signature-based and behavioral-based IDSs suffer from a large number of false positives and false negatives.
Capability to detect zero-day attacks
Real-time analysis of downloaded network content
Detailed dynamic behavior analysis of content
Modular architecture that combines results of multiple analyses and allows for easy addition of new tools
No changes to network infrastructure
Scales to large enterprise networks
Low false-positive rate
APL researchers have developed Net Taster, an IDS that correlates real-time network traffic content and node activity in order to detect attacks on a network. Net Taster provides a low false-positive rate and a highly detailed report for each attack that occurs.
Unlike other IDSs, Net Taster goes beyond network traffic analysis and deep packet inspection to analyze the content of the network traffic. Net Taster uses cutting-edge dynamic analysis technology to determine the behavior of network nodes in response to incoming traffic and combines the result with network traffic analysis and traditional static analysis to identify attacks. The result is a holistic characterization of the attack along with a low false-positive ratio.
Net Taster’s behavioral content analysis provides not only better detection of attacks but also an indication of whether or not an attack was successful. Net Taster’s automated reports provide specific details of an infection, describing the nature and extent of the compromise and what data may have been exfiltrated. All relevant network data are easily accessible to the analyst for further investigation. By providing the details of attacks, including those that are unsuccessful, Net Taster supplies necessary information to stop future attacks.
Net Taster has a modular framework that consists of two main phases: first, a front end logs potential malicious content and network traffic; second, an analysis phase inspects the content and network traffic to determine whether or not an attack has been launched against a node in the network. The front end automatically sends network content for analysis and provides a web interface for viewing real-time data as well as functionality to manually analyze content.
The flexible analysis framework combines results of multiple analyses and permits a simple method for introducing new tools.
This copyrighted technology is currently available for licensing and future development partnership.