Additional Intrusion Detection methods

To detect intrusions, you can use the following additional methods:

• Detection of signs of falsified addresses in ARP packets (ARP spoofing).

  If ARP spoofing detection is enabled, Kaspersky Anti Targeted Attack Platform checks the addresses specified in ARP packets and detects indicators of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is indicated by fake ARP messages being found in the traffic.

  When indicators of ARP spoofing are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:

  • 4000004001 for an event involving the detection of multiple ARP responses that are not associated with ARP requests
  • 4000004002 for an event involving the detection of multiple ARP requests from the same MAC address to different recipients.
• TCP Protocol Anomaly Detection.

  If TCP Protocol Anomaly Detection is enabled, Kaspersky Anti Targeted Attack Platform scans TCP segments of the data stream in supported application layer protocols.

  When Kaspersky Anti Targeted Attack Platform detects packets containing overlapping TCP segments with different content, it registers an Intrusion Detection technology event. Events are registered with system event type code 4000002701.

• IP Protocol Anomaly Detection.

  If IP protocol anomaly detection is enabled, Kaspersky Anti Targeted Attack Platform scans fragmented IP packets.

  When IP packet assembly errors are detected, the application registers Intrusion Detection technology events. System event types are used for registration, which have the following codes:

  • 4000005100 for an event involving the detection of a data conflict during IP packet assembly (IP fragment overlapped)
  • 4000005101 for an event involving the detection of an IP packet exceeding the maximum allowed size (IP fragment overrun)
  • 4000005102 for an event involving the detection of an IP packet with the initial fragment smaller than expected (IP fragment too small)
  • 4000005103 for an event involving the detection of mis-association of fragments of an IP packet (mis-associated fragments)
• Brute-force Attack and Scan Detection.

  When Brute-force Attack and Scan Detection is enabled, Kaspersky Anti Targeted Attack Platform examines network activity statistics to detect indicators of brute force attacks, denial of service attacks, scanning, network service spoofing, and other anomalies.

  This method uses built-in rules. When the rules are triggered, the application registers an Intrusion Detection technology event. Events are registered with system event type code 4000003002.

You can enable or disable methods. Additional Intrusion Detection methods can be applied regardless of whether Intrusion Detection rules exist or are enabled. Additional detection methods use built-in algorithms.

Page top