Word document 1 1 page essay Instructions: Use examples from the readings, or from your own research, to support your views, as appropriate. Encouraged to conduct research and use other sources to support your answers. Be sure to list your references at the end. References must be in APA citation format. A minimum of 250-300 words. Network activity can be classified as normal, suspicious, or malicious. How is network activity differentiated? Provide examples. Number of Pages: 1 Page Page Line Spacing: Double spaced (Default) Academic Level: College Paper Format: APA Word document 2 Instructions: Add additional insight opinions or challenge opinions and you can visit a couple of the web sites contributed and share your opinion of these sites. Minimum of 150 words for each. Part 1 respond in 150 words 1) In order to analyze traffic, a NSM needs to be able to tell the difference between one network activity from another so they can detect an intrusion. Using a level of normalcy of activity allows the NSM to recognize the difference in traffic that does not fit the normal pattern (Bejtlich , 2004). Normal activity is what the analyst would look for without being concerned. Suspicious network activity draws the attention of the analyst who then takes the time to examine the data before assuming it is malicious, but is sure it is obviously not normal. An analysis engine is the component of an IDS examines the collected network traffic and compares it to known patterns of suspicious or malicious activity. An example of suspicious network activity is a bunch of failed attempts to log in with a password, making it appear that the user does not know the password to log in. Another example of suspicious would include the use of a honey pot, where the traffic is unsolicited (Freire, 2007, p. 287). A suspicious activity allows the analyst to either create a fix for the threat or to update the vulnerability (Intrusion Detection n.d.). Malicious network activity includes a buffer-overflow, viruses, worms
, botnets, those which consume resources by bombarding the traffic on the network such as spam, DoS and DDoS. When being compared to normal activity, malicious activity differs from the regular activity, and, without a doubt, is not merely suspicious. Part 2 respond in 150 words 2) Network activity can be classified as normal, suspicious, or malicious. Normal network activity is also classified as anomalous (UCVTS, n.d.). Any activity outside of the anomalous categorization is considered either suspicious or malicious (UCVTS, n.d.). For an intrusion detection systems (IDS), rules must be created to determine what anomalous activity looks like (UCVTS, n.d.). An IDS can inaccurately report anomalous traffic with a false negative (UCVTS, n.d.). This occurs when it does not send an alert for something suspicious or malicious when it is in fact either of the two (UCVTS, n.d.). An example of anomalous network activity would be if a user connects to FTP on a single system (UCVTS, n.d.). Suspicious activity is activity not categorized as anomalous but not yet malicious, as it must first be corroborated before that determination is made. Malicious activity is presented when something pops up that is abnormal or an alert is received, and it occurs when there has been a compromise of a servers security or by a user who has access to the server (Bejtlich, 2000). Malicious activity involves port scanning, malicious HTTP GET/POST requests, and unauthorized brute force attacks against a server (Limestone, n.d.). The goal of port scanning is to locate a port so that it can then be exploited (Limestone, n.d.). Malicious HTTP GET/POST requests occur in order to exploit a software vulnerability (Limestone, n.d.). Brute force attacks are directed toward SSH and RDP services to gain access (Limestone, n.d.). For an IDS, accurate classification of normal, suspicious, and malicious activity events is necessary in preventing analysts from wasting their time. Number of Pages: 1 Page Page Line Spacing: Double spaced (Default