Skip to main content

3.5 Detecting Network Attacks

Topic 3.5: Detecting Network Attacks

While preventative measures like firewalls are essential, organizations must also have tools in place to detect attacks that bypass these defenses. Automated detection tools are critical for monitoring network activity and identifying potential threats in real time. These tools analyze data collected from various sources across the network, including routers, switches, servers, and firewalls, which are often stored in log files.

Common automated security tools for network attack detection include:

  • Network Intrusion Detection System (NIDS): A NIDS is a passive monitoring tool that analyzes network traffic for signs of malicious activity. When it detects a potential attack, it generates an alert for security analysts to investigate. It does not, however, take any action to block the attack.
  • Network Intrusion Prevention System (NIPS): A NIPS has all the capabilities of a NIDS but can also take active steps to mitigate or stop a detected attack. For example, a NIPS might block traffic from a malicious IP address, close a port that is under attack, or terminate a suspicious network session.
  • Security Information and Event Management (SIEM): A SIEM system is a centralized platform that aggregates and analyzes log data from multiple sources across the entire IT infrastructure. By correlating events from firewalls, intrusion detection systems, servers, and applications, a SIEM can detect complex attack patterns that might not be visible from a single source. When a potential threat is identified, it raises an alert for human analysts to investigate.

The sheer volume of data generated by a modern network makes manual analysis impossible. This is where artificial intelligence (AI) is becoming increasingly valuable. AI algorithms can be trained to analyze these massive datasets, learn the patterns of normal network behavior, and quickly identify anomalies that may indicate an attack. AI models for threat detection often use probabilistic calculations, assigning a likelihood score to an event to indicate how probable it is that the event is malicious. Organizations can set a threshold for this score to determine when an alert should be generated.

When choosing a detection method, several factors must be considered. Signature-based detection compares network traffic against a database of known attack patterns, or indicators of compromise (IoCs). This method is fast, efficient for high-traffic networks, and has a very low rate of false positives. However, it cannot detect new or previously unknown attacks. Anomaly-based detection first establishes a baseline of normal network activity and then triggers an alert when it detects deviations from this baseline. This method is effective at catching novel attacks but can have a higher rate of false positives and requires more computational resources. A hybrid approach, which combines both methods, offers the most comprehensive protection but is also the most complex and costly to implement.

Detecting specific network attacks often involves analyzing log files for key indicators:

  • Evil-twin attacks can be identified by scanning for suspicious SSIDs and using signal triangulation to locate rogue access points.
  • ARP poisoning can be detected by monitoring for unusual ARP messages, such as duplicate MAC addresses, in network traffic logs.
  • MAC flooding attacks are indicated by a sudden, massive increase in Ethernet frames with different source MAC addresses.
  • Smurf attacks can be identified by a spike in ICMP requests sent to the network's broadcast address.

Network-based IoCs found in packet capture files or traffic logs, such as connections to known malicious IP addresses, unusual spikes in traffic, or mismatched port-application traffic, are all critical pieces of evidence that can help security analysts detect and respond to network attacks.