IDS Report for April 07, 2003 |
Network Intrusion Detection is a system that monitors the traffic on a
network for data associated with patterns known to be associated with
potentially malicious traffic.
A Network Intrusion Detection System is one component of a corporate
security policy used to maintain awareness of network activity,
identify potential causes for alarm, and reduce the threat should an
attack actually occur.
Each section provides intrusion detection details unique to this server,
generated automatically by the Guardian Digital Intrusion Detection System.
Information including the most severe types of attacks, the most frequent
types of attacks, and even attacks by port number can be analyzed here.
|
|
Top 10 Source IP Attacks |
Each time the system detects a potential attack, the IP address of the
originating host is recorded. The graph above displays a breakdown of the
ten source IP addresses that the system recorded as most active.
Click on one of the links to the right to display details about each of
the top ten IP addresses.
|
|
|
|
|
Top 10 Most Severe Attacks |
|
The severity rating system established by Guardian Digital provides
a method to quickly identify the current threat as seen by the
intrusion detection system.
This is one method that can be used to determine the level of risk,
and determine the best course of action for a particular class of attack.
|
|
Level 5: Low
|
|
Everyday network incident activity
|
Level 4: Moderate
|
|
Heightened awareness
|
Level 3: Medium
|
|
Potentially significant event
|
Level 2: High
|
|
Known attack type
|
Level 1: Extreme
|
|
Policy violations, attacks involving multiple systems, or other event of a very significant nature
|
|
|
The Guardian Digital IDS enables organizations to concentrate on their core
business while maintaining a continued high degree of security.
|
|
|
|
|
|
Total Attacks by Class |
|
Attacks grouped by their classification can be used to determine if a
particular type of attack may be applicable to the systems on your network.
Remote attackers typically do not first determine the type of systems
that may be on your network, but instead launch random scripted attacks.
|
|
|
|
|
Total Attacks by protocol |
|
The TCP/IP Internet model is the most frequently used means to communicate
between systems today. Knowing the type of protocol used by an attacker
can help determine if firewall policies need to be adjusted, and assists
in establishing patterns over time.
This graph can help determine if systems are being probed or attacked
at the network, application, or protocol layer, providing additional
information for security administrators to better protect their network.
|
|
|
|
|
Ten Most Common Attacks |
|
As exploits are developed and released to attack vulnerable systems on the
Internet, these graphs can be used to determine the latest attempts at using
these attacks on your systems.
The ability to provide some level of advance warning provides system
administrators prepare and monitor their potentially vulnerable systems.
|
|
|
|
|
Ten Least Common Attacks |
|
It is important to monitor infrequent attack attempts as attentively as
attacks attempted regularly. Attack attempts trying to evade detection
may only occur once or twice in the blackhat's efforts to find the weakest
point of the network.
|
|
|
|
|
Ten Most Common Services Attacked |
|
The standard services that are used to communicate with hosts on the Internet
run at universal locations on each host, called ports. Common services
such as SMTP or FTP are scanned by blackhats for activity at their
known location, then an attack is launched in an attempt to compromise
the host.
Reports of activity on services that are not active may indicate a
firewall policy change, while activity on active ports may indicate
further attention is required.
|
|
|
|
|
|
Summary of Attacks by Protocol over Time for April 07, 2003 |
|
|