What is Network Defender Plus?
Several businesses fall targets to hackers in spite of deploying firewalls and intrusion detection systems (IDS). This is because both these systems read packet header and do signature matching, and are oblivious to advanced security attacks such as DDoS and zero-day attack. Today, businesses need advanced security analysis and protection measures that helps them to safeguard their network and data centers against such sophisticated attacks. Network Defender Plus is flow-based network behavior anomaly detection (NBAD) software that analyzes the packet flows to detect malicious traffic hitting the network. It applies advanced rules and patterns on the malicious traffic to identify whether they are intrusions or attacks.
Network Defender Plus helps you:
- Monitor network security in real-time
- Monitor internal and external threats
- Classify threats into Bad Src-Dst, DDoS, Scan/Probe, and Suspect Flows problem classes
- Find anonymous traffic hitting your network
- Carry out detailed forensic investigation
Identify advanced attacks in real-time
Network Defender plus continuously analyses the packet flow using its Continuous Stream Mining Engine to find out malicious traffic hitting your network. It does pattern matching and find outs attacks and classifies them under appropriate problem classes namely DDoS, Bad Src-Dst, Scan/Probes, and Suspect Flows.
View event details in-depth & carry out forensics
Event details gives a thorough detail about the problem. The details include problem name, offender IPs, target IPs, unique connections, port, protocol and much more. Clicking on the router name gives details with mapped destination- source IP and the application, port, protocol etc. Dials provides information on Source & Destination Occupancy as well as Span to trace patterns based on how end point are distributed (dense) and nature of scan (host/port).
At-a-glance view on all events
Event list Dashboard gives a list of all the events along with details, such as problem name, offenders, target, hits, severity, and time of the attack. From this view, you can ignore certain events by giving criteria. You can also discard trusted flows to be harmless and that will not be taken into account.
Filter events and generate Reports
Generate Reports for a specific time period based on requirement to view suspicious flow and set criteria to view the path of flow and trace the exact location of the fault. It saves time to analyze the generated data easily with the help of advanced reports.
Problem Class
DDoS
DDoS is an attack, which disrupts the services delivered by an enterprise, flooding junk traffic from multiple sources simultaneously. The most common method of this attack involves sending multiple communication requests to the router (target device) so that it fails to respond to legitimate requests. Network Defender Plus identifies such junk traffic hitting the network from unwanted sources and raises as a DDoS event.
Bad Src-Dst
Some attacks are caused due by bad source or destination IP addresses. Some examples for Bad Src-Dst are invalid source or destination IP, excess multicast flows for a source IP, excess broadcast traffic sent to a destination IP, and much more. Network Defender Plus keeps a tab on all such malicious activities happening at the source and destination IPs and pinpoints such problems for immediate action.
Suspect Flows
In a flow, if any of the field other than source and destination looks suspicious, it is called as suspect flows. In this attack either pack size is abnormal (below the legitimate size of IP or TCP packets) or wrong priority is set. Malformed IP and TCP packets and invalid ToS flows are some example of suspect flows. Malformed IP and TCP packets do not have the legitimate packet size (IP - 20 bytes and TCP - 40 bytes). Invalid ToS flows will have invalid ToS values (other than 0-255). Network Defender Plus identifies such suspicious flows and raises an event.
Scan/Probe
Scan or a probe is a technique used by attackers to scan a network for identifying vulnerable systems so that they can get into the network and cause major problems. Attackers scan the network for systems running remote desktop services, open ports, network mapping etc. They carryout such actions by sending ICMP sweeps, executing DNS commands, spoofing IP address, and much more techniques are followed. Network Defender Plus detects such scanning and probing activities and brings them to the notice of admins in real-time.