Additional Intrusion Detection methods

You can apply the following additional methods for Intrusion Detection:

• Detection of signs of falsified addresses in ARP packets (ARP spoofing).

  If detection of signs of falsified addresses in ARP packets is enabled, Kaspersky Industrial CyberSecurity for Networks scans the indicated addresses in ARP packets and detects signs of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is characterized by the presence of falsified ARP messages in traffic.

  When the application detects signs of falsified addresses in ARP packets, the application registers the events based on Intrusion Detection technology. Events are registered with system event types that are assigned the following codes:

  • 4000004001 – for detection of multiple ARP replies that are not associated with ARP requests.
  • 4000004002 – for detection of multiple ARP requests from the same MAC address to different destinations.
• TCP Protocol Anomaly Detection

  If TCP protocol anomaly detection is enabled, Kaspersky Industrial CyberSecurity for Networks scans TCP segments of the data stream in supported application-level protocols.

  When it detects packets containing overlapping TCP segments with varying contents, the application registers an event based on Intrusion Detection technology. The events are registered using the system event type that is assigned the code 4000002701.

• IP Protocol Anomaly Detection

  If IP protocol anomaly detection is enabled, Kaspersky Industrial CyberSecurity for Networks scans fragmented IP packets.

  When the application detects errors in the assembly of IP packets, it registers events for Intrusion Detection technology. Events are registered with system event types that are assigned the following codes:

  • 4000005100 for detection of a data conflict when assembling an IP packet (IP fragment overlapped).
  • 4000005101 for detection of an IP packet that exceeds the maximum permissible size (IP fragment overrun).
  • 4000005102 for detection of an IP packet whose initial fragment is smaller than expected (IP fragment too small).
  • 4000005103 for detection of mis-associated fragments of an IP packet.
• Brute-force Attack and Scan Detection

  If Brute-force Attack and Scan Detection is enabled, Kaspersky Industrial CyberSecurity for Networks analyzes network activity statistics to detect signs of brute-force attacks on account credentials, denial of service, scans, network service spoofing, and other anomalies.

  This method uses built-in rules. When rules are triggered, the application registers an event based on Intrusion Detection technology. The events are registered using the system event type that is assigned the code 4000003002.

You can enable and disable these methods. You can apply additional Intrusion Detection methods regardless of the availability and state of Intrusion Detection rules. Embedded algorithms are used for the additional scan methods.

Page top