427 Botnet fm qxd

traffic on local networks can be a major indication and source of data on bot
infestation within your own perimeter.
A HIDS focuses on individual systems.That doesn’t mean each host runs
its own HIDS application, of course:You would generally administer an
enterprise-class system centrally, though it might engage with agent software
on the local host. Rather, it means that the HIDS monitors activity (inappro-
priate application activity, suspicious file or service accesses) on a protected
system, or the state of the system (configuration, system file status). It can pick
up evidence of breaches that have evaded outward-facing NIDS and firewall
systems or have been introduced by other means, such as:
■
Attacks from peer machines on an internal network
■
Direct tampering from internal users
■
Introduction of malicious code from removable media
Anomaly detection is closely related to what in the antivirus community
is often referred to as “generic” detection—that is, measures that protect
against classes of threat rather than specific, identified threats.Tripwire,
reviewed later in this chapter, is a good example of this approach: If Tripwire
tells you that a system file has been modified, that doesn’t, in itself, tell you
what did the modifying (or even whether it was malicious), but it does give
you early warning that you might have been hit by something malicious.
Another example is an e-mail filter that blocks all executable attachments.
In IDS, the intention is to develop a baseline view of what constitutes
“normal” behavior or activity in that environment. Often, that baseline will
develop over time.This enables the administrator to:
■
Develop a greater understanding of how activity varies over the long
haul.
■
Accommodate changes in the “threatscape,” since older exploits
decline in impact and as newer exploits and techniques come along.
Once you’ve established a baseline, activity that deviates from that norm is
flagged as potentially malicious—spikes in traffic from or to particular IPs or
the unusually heavy use of particular services, for example. In the particular
context of botnet detection, you might be particularly wary of traffic that

Download 6,98 Mb.

Do'stlaringiz bilan baham: