Ron Gula, of Dragon IDS and Tenable fame, has an interesting blog entry on monitoring large networks looking for suddent surges in atypical network traffic destined specific IPS or protocols.
Scenario: mobile malicious code compromises 150 hosts on your network. Those hosts are loaded with bot software. Bots need to talk to a command and control channel, and by observing these surges of bots connecting within a threshold of time... we can detect this anomolous pattern.
Ron has released code and screenshots on his research. Definitely worth checking out.
Mike Poor mike <at> intelguardians.com
Aug 5th 2006
1 decade ago