Network Monitoring

Network Activity

According to Bejtlich (2004), there are basically three types of network activity from a monitoring perspective: normal activity, suspicious activity, and malicious activity. Taking effective action depends on the ability of the network monitor to correctly indentify which type of activity is being observed and developing a response form the tools and processes at the monitor's disposal. While it might seem unnecessary to discuss normal activity, as there is essentially no action the monitor needs to take if nothing but normal activity is going on, understanding normal activity is essential in carrying out a monitor's task (Bejtlich, 2004). Normal activity can vary considerably from network to network, and might consist of steady streams of traffic in some settings or regular peaks punctuated by periods of very low activity in others. Defining normal for a particular setting is necessary in order to develop an understanding of suspicious and malicious activity. Suspicious activity could be loosely defined as anything that does not appear to be normal activity -- a peak in a setting that is normally steady, for example -- but whose nature is not entirely known. Malicious activity is activity that deviates from the normal that can be identified as having deliberately harmful effects on the network, or traffic that is meant to be harmful that masquerades as normal but can eventually be identified as abnormal. Clearly, the difference from normal is essential in identifying both suspicious and malicious network activity, and it is for this reason that establishing a baseline for normal activity is so important (Bejtlich, 2004).

Attacks on Network Security Monitoring

