Understanding Anomaly Detection

Network Sensor listens for abnormalities in network traffic and identifies endpoints with Anomaly and blocks them based on your access policies. You can configure Anomaly Definitions to detect abnormal network traffic such as Ad hoc Network, ARP Bomb, Spoofed ARP, MAC+IP Clones, and more.

For an anomaly to be detected, anomalies definitions must be assigned to node policies.

ARP Bomb

While the network sensor is monitoring ARP, it detects a device that generates excessive ARP packets and designates it as a critical Node. It detects abnormal ARP behavior and prevents attempts to disable network access or disable network access control. An attacker Node continually keeps sending request packets to the target Node, thereby causing its cache to fill up quickly. Soon the target Node will spend more of its resources to maintain its cache, which may lead to buffer overflow. And real mapping would never be entered in the cache.

MAC+IP Clones

The IP protocol uses IP and MAC addresses to identify the destination of the communication. Since there is no verification procedure at this time, it is easy to steal. If you have cloned the MAC / IP of the malicious device on the network, it is very difficult to check the normal system and the stolen system at the packet level.

However, Genian NAC can detect MAC / IP theft in a variety of ways. The network sensor periodically sends an ARP request to check the operation status of the device. If two replies are received at the same time, suspend the MAC / IP clone and designate the Node as a critical Node. In addition, if the user changes the MAC on the endpoint where the Agent is installed and the MAC is already being used by another device, the device is designated as a critical Node.

In addition, Genian NAC provides industry-leading platform detection to detect when a Node is changing to another platform, allowing administrators to see when changes are made, and to block devices when unauthorized platform changes are detected.

Multi-Homed / Ad hoc Network

Detects direct client-to-client communication (Agent required)

Port Scanning

Detects any device trying to scan TCP or UDP ports. Genian NAC uses a honeypot IP for detecting scanning devices.

Rogue DHCP Server Detection

The DNS value assigned by the DHCP server with IP can be compared to the DNS set on the sensor to detect an unusual DHCP server.

Rogue Gateway

Detects a Node having a rogue gateway configured (Agent required)

Sensor MAC Clones

Detects whether a Sensor MAC address is cloned (No configuration settings required)

Spoofed ARP

While ARP Enforcement is a technology used to block communication of network devices, ARP Spoofing is mainly used in malicious codes and is used for eavesdropping communication of other parties. Genian NAC can detect ARP packets through a network sensor to detect devices attempting to be spoofed.

In addition, it provides a function to block devices that attempted spoofing and to return to normal MAC through ARP cache detox.

Unauthorized Service Request

Detects the service that are not authorized but requested.

SNMP Disabled

Genian NAC allows SNMP Trap interworking with external systems to receive network control and de-control requests and designate the device as a dangerous node. In addition, the tag assignment feature allows SNMP Trap to perform control over the received device.

Please refer to Tagging Assets Using Event for tag assignment function.