You can apply the following additional methods for Intrusion Detection:
If detection of signs of falsified addresses in ARP packets is enabled, Kaspersky Industrial CyberSecurity for Networks scans the indicated addresses in ARP packets and detects signs of low-level man-in-the-middle (MITM) attacks. This type of attack in networks that use the ARP protocol is characterized by the presence of falsified ARP messages in traffic.
When the application detects signs of falsified addresses in ARP packets, the application registers the events based on Intrusion Detection technology. Events are registered with system event types that are assigned the following codes:
If TCP protocol anomaly detection is enabled, Kaspersky Industrial CyberSecurity for Networks scans TCP segments of the data stream in supported application-level protocols.
When it detects packets containing overlapping TCP segments with varying contents, the application registers an event based on Intrusion Detection technology. The events are registered using the system event type that is assigned the code 4000002701.
If IP protocol anomaly detection is enabled, Kaspersky Industrial CyberSecurity for Networks scans fragmented IP packets.
When the application detects errors in the assembly of IP packets, it registers events for Intrusion Detection technology. Events are registered with system event types that are assigned the following codes:
If Brute-force Attack and Scan Detection is enabled, Kaspersky Industrial CyberSecurity for Networks analyzes network activity statistics to detect signs of brute-force attacks on account credentials, denial of service, scans, network service spoofing, and other anomalies.
This method uses built-in rules. When rules are triggered, the application registers an event based on Intrusion Detection technology. The events are registered using the system event type that is assigned the code 4000003002.
You can enable and disable these methods. You can apply additional Intrusion Detection methods regardless of the availability and state of Intrusion Detection rules. Embedded algorithms are used for the additional scan methods.
Page top