Network monitoring systems and techniques

Network Research

Encountering -- and Countering -- Unstructured Attacks: Current Issues in Network Security Monitoring

As technology and information networks continue to grow in complexity and in sheer size, and as they become more prevalent and important to industries and organizations of all sorts, the problems encountered in network security and network security monitoring are themselves growing in number and complexity. Hardware changes, software developments, and an ever-adapting range of purposeful and accidental security threats through unauthorized activity have led to the rapid evolution of network security monitoring in many ways, while at the same time certain basic elements and frameworks for understanding issues remain the same. This juxtaposition of the old and the new in the world of network security monitoring means that basic and current understandings of problems and solutions that might be encountered in the field are useful and indeed necessary, but also that knowledge must continually develop along with the monitoring complexities themselves. This can be an arduous task in and of itself, given the amount of practical experience and explicit research generating new knowledge on a constant basis.

To further complicate matters, the number of individuals capable of affecting network security in adverse ways is also growing, both in absolute and relative terms -- that is, a growing proportion of the population is computer-literate enough to purposefully attack, access, or otherwise wrongfully affect or utilize secure information networks -- meaning there is more human creativity being put towards efforts that threaten network security and that require careful attention from network security monitors. As learning how to manipulate Internet and network technologies becomes a more prominent and popular feature of common education and knowledge, not only the number but also the nature of attacks changes to a certain degree. More people capable of utilizing networks in an unauthorized or malicious fashion does not mean that more people are truly expert at this, or even that they have sophisticated or long-term ends for such network misuse, but simply that there are more people able and willing to engage in unauthorized and potentially malicious network use engaged in what they see as pranks or in purposefully visible forms of organizational disruption. These attacks are generally less harmful, at least in direct terms, when it comes to network security, however they can also be more difficult to handle.

Unstructured threats are those attacks on a network (or, in some perspectives, weaknesses in network security and monitoring that allow for these attacks) that do not have a true purpose or a fixed empirical methodology, and though this covers a range of potential attacks they can largely be addressed as a functional group (Bejtlich, 2004; Barth, 2008). Because these attacks are les fixed in purpose and methodology and tend to be more visible and with a lower need for subtlety and efficacy, they are also the type of attack or threat that is more and more likely to occur as greater numbers of lay people acquire some level of ability in terms of network utilization and disruption. Given the evolution of network knowledge and of network security threats, it is in the area of unstructured threats that network security monitors face perhaps the greatest challenges, as this is the area most likely to develop newer threats and methods of attack at a more rapid pace. Even though these attacks might ultimately be less harmful to the organization attacked due to the lack of criminal intent and the rather superficial nature of most such attacks, unstructured attacks can be highly disruptive to network operations and to organizational productivity and public image, and thus can be quite harmful. The following pages present an overview of the current literature regarding unstructured threats and the mean for addressing them, providing a definition and in-depth analysis of unstructured threats as they typically present today. Certain conflicts and gaps in the literature are identified, as are the current trends and consistent findings as well as the general frameworks that have been constructed and shown to be effective in dealing with unstructured threats, and overall recommendations in response to a general risk assessment are also given.

Literature Review

Current research related to the area of unstructured threats to/attacks on network security covers a range of specific topics and brings several different perspectives to bear on the issue. Practical as well as ethical implications are covered, and there are high levels both of observational data that define certain patterns and issues affecting network security monitoring and of modeling and experimental findings that suggest certain solutions or approaches to addressing identified problems. Despite the many different views and the diverse nature of the data related to this topic, however, there are still certain questions that remain poorly investigated and largely unanswered, and knowledge gaps in the overall investigation of unstructured threats. Though the research gathered and presented here is of course not a comprehensive list of all topics and perspectives that can and have been utilized in the examination of unstructured threats, but it does provide a fair representation of the level and scope of information that is currently available and thus is useful both in providing broad assessments of trends in the literature and in identifying potential problem areas.

One of the problems holding back research and preventing the acquisition of solid data in this area is the large amount of network data that is generated in unsecured threats/attacks and generally speaking, much of which must be analyzed in order to develop a clear understanding of how these attacks can occur and what might possibly be done to prevent them (Stiawan et al., 2011). This is a general problem when it comes to many aspects of network monitoring and network security, but is especially problematic when it comes to unstructured threats and unstructured data; the very nature of being unstructured means it is more difficult to determine strong patterns in data and thus to develop empirical means for testing responses to unsecured threats (Stiawan et al., 2011). The formation of unstructured threats and the lack of purpose that is inherent to unstructured attacks makes them far less predictable, and though more advanced data mining techniques have been advanced in an attempt to address these issues there is still a difficulty in the prediction, prevention, and the development of effective general responses to unstructured attacks and the threats that underlie these attacks (Ahmad & Habib, 2010; Stiawan et al., 2011).

When networks themselves are less fixed, less predictable, and less structured, the problems of unstructured threats are intensified all the more, and this is becoming an increasing problem as a variety of networks have emerged with the explicit purpose of allowing for large communities of individuals to engage in some level of network activity with what is ultimately a low degree of monitoring and security at the level of actual user interfacing (Fan, 2011; Xu et al., 2011; Cao & Liu, 2012). Peer-to-peer networks now exist for a wide variety of reasons, and they offer a plethora of options for personal and network interaction to their users, making them both incredibly useful and inspiring testaments to technology and highly attractive targets for unstructured attacks -- attacks brought about simply for fun, or for the individual(s) launching the attack to see what they can do without having any actual end in mind (Bjetlich, 2004; Fan, 2011; Xu et al., 2011; Cao & Liu, 2012). The number of users in these systems and the highly varied and variable patterns of network activity make monitoring the networks for potential unstructured attacks quite difficult, and also maintains the threat of unstructured attacks at a consistent, high level (Barth, 2008; Fan, 2011; Xu et al., 2011; Cao & Liu, 2012). This opens relatively unstructured networks to a variety of unstructured attacks by creating much greater threat levels than exist within more closed, controlled, and consciously structured networks (Fan, 2011; Xu et al., 2011; Cao & Liu, 2012).

One of the primary issues when it comes to unstructured attacks is that they depend to some degree -- in peer-to-peer networks, to a large degree -- on human psychology, and not on rational and strictly mathematical rules and patterns of behavior (Bejtlich, 2004; Cao & Liu, 2012). Mathematical models of the trust relationships that exist (or should exist, or must exist, etc.) in peer-to-peer networks have been attempted, however, and both the difficulty in developing reliable and accurate models and the results of simulations conducted with these models demonstrate the difficulty of planning for, preparing for, and addressing unstructured attacks (Cao & Liu, 2012). The level of trust in peer-to-peer networks and the specific relationships of trust that develop or fail to develop speak directly to the level and nature of unstructured threats that the network faces, and thus a mathematical model of such behavior that can be proactively addressed is necessary to fully deal with unstructured threats and attacks.

The nature of semi-structured or largely unstructured networks such as peer-to-peer networks also enables certain unstructured threats with the potential to become structured attacks to propagate, which can ultimately be both helpful and harmful to overall network security monitoring operations. The behavior of both botnets and worms in peer-to-peer networks have been empirically examined and models or simulations of their behavior have been attempted, and the manner in which different nodes in peer-to-peer networks develop in and of themselves and in terms of their relationships with other nodes -- the very architecture of the network itself, in other words, which is necessarily dynamic in a peer-to-peer network -- makes it easier for these threats to spread and evolve undetected due to this architecture and to the patterns of information flow over such networks (Fan, 2011; Xu et al., 2011). When it comes to worms propagating in peer-to-eer networks, the activity of the worm itself has been demonstrated to be the most necessary knowledge in terms of tracking and preventing the continued spread and damage of such a threat, while botnets generally show more "robustness" an are better impacted by shifts in the network itself, specifically by decentralizing nodes in an attempt to isolate and eliminate the botnet (Fan, 2011; Xu et al., 2011). Both of these threats are more difficult to track and eliminate when unstructured in nature and/or environment.

As the research into peer-to-peer network shows, the less structured a network is the more vulnerable it is to unstructured attacks, and thus ultimately to unstructured attacks as well. When networks are created on the fly or "ad hoc," they become that much more unstructured; even if they are implemented for a specific purpose the very nature of an ad hoc network means that it is built not form an explicit plan and method of resource acquisition, but simply growing in whatever manner it is possible to grow in order to achieve the needs of the network users/architects (Yang et al., 2010). Pattern recognition becomes more difficult when the network does not have dependable data for normal usage, making threat detection incredibly difficult especially for unstructured threats that do not necessarily attempt to adversely affect network performance or inappropriately utilize or access sensitive data (Yang et al., 2010). Given the potential for a seemingly innocuous unstructured attack to suddenly achieve real and drastic damaging effects these threats are still important to counter, but the difficulty of detection can make this all but impossible (Yang et al., 2010). Several approaches to threat detection have been developed, of course, but the appropriate detection and reaction method is dictated both by certain network features and by features of the potential or actual threat/attack, and thus the issue remains complex and often very difficult to deal with even fro experienced network security monitors (Yang et al., 2010).

One attempt to more effectively model behaviors and relationships in unstructured networks and unstructured threats or attacks has been to use some of the relationships and mechanisms defined and described in game theory as a means of predicting actions taken by network users and would-be attackers in unstructured scenarios (Manshaei et al., 2011). The authors of this particular piece of research claim to have made some headway in terms of describing threats and attacks from this perspective, yet they themselves are not able to identify any clear solutions from their preliminary findings and instead simply suggest that further research is required in this area (Manshaei et al., 2011). In truth, it is not entirely clear that the game theory perspective will prove to be an adequate approach to the problems of unstructured threats and attacks, and indeed there are other frameworks that appear to provide more direct, coherent, and consistent results. Developing new perspectives for network architecture and alert signaling using more traditional frameworks for threat definition and prediction could prove ore effective than trying to rebuild the very manner in which threats are predicted, and indeed there has been some experimental success demonstrated with specific new architectures and signaling triggers when it comes to unstructured attack detection and prevention (Colajanni et al., 2010). Practical efforts built on existing theory, even when those theories are based on the limited knowledge available to researchers in the area and real-world network security monitors, appear to be more effective than changes in underlying theory and modeling (Colajanni et al., 2010; Manshaei et al., 2011).

Discussion

As the current research shows, being able to define, predict, and respond to unstructured threats is still a very significant problem in network security monitoring, and one that is in need of further research before it can be considered adequately addressed and properly understood. There are both general and specific problems when it comes to unstructured threats and attacks on a network, from the lack of direct harm that many unstructured attacks might have, at least initially, to the psychological rather than mathematical/rational factors that drive unstructured attacks and the attackers behind them. The research has definitively laid out many of these problems, and in fact it is in this area that current knowledge can be considered the most complete -- the problems themselves are relatively specific and well-defined, meaning that there are clear and concise questions that can be posed as to how to best prevent, detect, and respond to unstructured threats and attacks. Where the research is lacking, unfortunately, is in providing concrete and concise answers to these questions, and providing some semblance of a structured framework for dealing with unstructured threats. The problem here is self-evident, yet this is still the trajectory that research should follow.