Network Monitoring Network Activity According

Network Monitoring

Network Activity

According to Bejtlich (2004), there are basically three types of network activity from a monitoring perspective: normal activity, suspicious activity, and malicious activity. Taking effective action depends on the ability of the network monitor to correctly indentify which type of activity is being observed and developing a response form the tools and processes at the monitor's disposal. While it might seem unnecessary to discuss normal activity, as there is essentially no action the monitor needs to take if nothing but normal activity is going on, understanding normal activity is essential in carrying out a monitor's task (Bejtlich, 2004). Normal activity can vary considerably from network to network, and might consist of steady streams of traffic in some settings or regular peaks punctuated by periods of very low activity in others. Defining normal for a particular setting is necessary in order to develop an understanding of suspicious and malicious activity. Suspicious activity could be loosely defined as anything that does not appear to be normal activity -- a peak in a setting that is normally steady, for example -- but whose nature is not entirely known. Malicious activity is activity that deviates from the normal that can be identified as having deliberately harmful effects on the network, or traffic that is meant to be harmful that masquerades as normal but can eventually be identified as abnormal. Clearly, the difference from normal is essential in identifying both suspicious and malicious network activity, and it is for this reason that establishing a baseline for normal activity is so important (Bejtlich, 2004).

Attacks on Network Security Monitoring

There are a number of ways in which attacks on networks and network security monitoring efforts can be carried out, involving many different tools and tactics. The responses to a network security monitoring attack needs to be based on an assessment of the method of the attack that is being leveled against the network and its security monitoring, and thus can be as varied and complex as the attacks themselves (Bejtlich, 2004). Two tactics or tools that an attacker might use to attack network security monitoring are an attack from a stepping stone or an attacking using a spoofed source address. Both of these are methods by which the attacker uses tools and processes to hide their location and identity, making it more difficult to trace the origin of the malicious activity and thus to end it and also causing problems when it comes to the legal end of proving and prosecuting crimes. There are numerous methods of addressing attacks that utilize such tools, including different ways of attempting to track the true and hidden identity and/or location of the attacker and different means of cutting off the activity that forms the attack on the network security monitoring. An attack might also focus on the client rather than the server, attempting to move through the server as ordinary traffic and only become recognizable as malicious further into the network. Addressing this type of attack must involve some method of tracking the malicious activity forward rather than backwards, and again there are multiple ways to accomplish this (Bejtlich, 2004).