Understanding Anomaly Detection
Sensors and agents detect abnormal behavior in network traffic, identify risky endpoints, and block them according to policies.
It detects abnormal behaviors such as ARP Bomb, MAC+IP Clone, ARP Spoofing, Ad Hoc networks, and more.
To detect the above risky behaviors, risk detection items must be assigned to node policies.
ARP Bomb
When the Network Sensor monitors ARP, if a device generating excessive ARP packets is detected, that node is classified as a risky node. An attacker node continuously sends Request packets to the target node, quickly filling its cache. Soon, the target node will use more resources to maintain the cache, which can lead to buffer overflow. And normal packets will not be entered into the cache.
Genian NAC can detect excessive ARP Request packets transmitted in various ways. The Network Sensor calculates the number of ARP packets sent by each node. If the number of ARP Requests exceeds the specified value, it is considered an ARP Bomb and designated as a risky node.
- Detection Period: Sets the period for risk detection.
- Request Count: Sets the number of ARP Requests. If the number of ARP Requests exceeds the specified count during the detection period, it is detected as a risk.
- Attacker Search Method: Selects the method for finding nodes that send excessive ARP packets.
MAC/IP Clone
The IP protocol uses IP and MAC addresses to identify communication targets. Since there are no specific verification procedures, they can be easily stolen. If a malicious endpoint clones MAC/IP, it is very difficult to distinguish between a legitimate system and a stolen system at the packet level.
However, Genian NAC can detect MAC/IP theft in various ways. The Network Sensor periodically sends ARP Requests to check the operational status of devices. If two responses are received simultaneously, MAC/IP Clone is suspected and designated as a risky node. Additionally, if a malicious endpoint changes its MAC to that of an endpoint with an agent installed, the attacking endpoint is immediately designated as a risky node.
Malware Detection
Malicious PE (Portable Executable) files present on endpoints can be detected through the agent.
Ad Hoc Network Connection
The agent can immediately detect multi-homed configurations or Ad Hoc network connections performed in various ways. If a computer with two or more IP addresses is connected to two or more networks, and one of them is untrusted, it is designated as a risky node. This can be performed not only with agent control options but also with interface control in Node Action. Client-to-client communication detection (Agent required)
- Blocking Method: Device Blocking or Audit Log
- Use Blocking Popup: Yes or No
- Exception Device Name: Specify devices to be excluded from risk detection (Specifying Interface Type Exception is more efficient as device names must match exactly.)
- Exception Device Type: Wired, Wireless, Virtual
Port Scan
Genian NAC can detect port scans performed in various ways. The Network Sensor monitors the flow of network traffic to detect port scan events. If a port scan is attempted to find vulnerabilities in a virtual IP address, that node is designated as a risky node. Additionally, if a port is scanned more than a specified number of times within a certain period, it is designated as a risky node. Detects endpoints attempting to scan TCP or UDP ports. Genian NAC uses honeypot IPs to detect scanning endpoints.
- Detection Period: Sets the period for risk detection.
- Request Count: Sets the number of port accesses. If the number of port accesses exceeds the specified count during the detection period, it is detected as a risk.
- Attacker Search Method: Selects the method for finding attacker nodes during risk detection.
Detecting Abnormal DHCP Server
Abnormal DHCP servers can be detected by comparing whether the DNS values distributed by the DHCP server match the DNS set on the sensor.
Using Invalid Gateway
The agent can immediately detect unauthorized gateway settings. If an untrusted gateway address (or default gateway) is configured on a node, that node is designated as a risky node. This can be performed not only with agent control options but also with interface control in Node Action.
- Blocking Method: Device Blocking or Audit Log
- Use Blocking Popup: Yes or No
- Exception Device Name: Specify devices to be excluded from risk detection (Specifying Interface Type Exception is more accurate as device names must match exactly.)
- Exception Device Type: Wired, Wireless, Virtual
Sensor MAC Clone
Detects if the sensor's MAC address has been cloned. (No configuration required)
ARP Spoofing
Genian NAC can detect ARP spoofing packets in various ways. The Network Sensor receives ARP responses on the network and checks for changes or discrepancies in the ARP sender and source MAC addresses. Additionally, it blocks the device that attempted spoofing and updates to the correct MAC via ARP Detox.
- Detection Period: Sets the period for risk detection.
- Attack Count: Sets the number of ARP spoofing packets. If more than the specified number of ARP spoofing packets are sent during the detection period, it is detected as a risk.
ARP Enforcement is a technique used to block communication of network devices, but ARP Spoofing is primarily used as malware and also for eavesdropping on communication between other endpoints. .. note:: When using VRRP (Virtual Router Redundancy Protocol), the ARP Sender MAC address may differ from the actual MAC address (ether src MAC address). Genian NAC provides exceptions for known protocols such as VRRP, HSRP, or GLBP to prevent them from being detected.
Unknown Service Request
Genian NAC can detect attempts to request services that are not provided in various ways. The Network Sensor detects service requests using a virtual honeypot. If an attempt to request an unprovided service is detected for a virtual IP address, and if more than the specified value of services are requested within a certain period, it is designated as a risky node.
- Detection Period: Sets the detection period for risk detection.
- Request Count: Detects as a risk if more than the specified number of service requests occur during the detection period.
- Attacker Search Method: Selects the method for finding attacker nodes.
SNMP Blocking Request
In Genian NAC, through SNMP Trap integration with external systems, it can receive network control and network control release requests, and designate the corresponding endpoint as a risky node. Additionally, through the tag assignment function, control can be performed on endpoints from which SNMP Traps were received.
Please refer to Assigning Tags upon Log Occurrence for the tag assignment function.