Which of the following network security controls can alert an administrator if it finds unusual traffic in the network?

Last updated at Tue, 31 Mar 2020 19:53:33 GMT

How to deal with unusual traffic detected notifications from Google

If you get an unusual traffic detected notification from Google, it usually means your IP address was or still is sending suspicious network traffic. Google can detect this and has implemented security measures to protect against DDoS, other server attacks, and SEO rank manipulation.

The key thing to remember is that the notification is based on your internet-facing IP address, not your private IP address, which is assigned to your laptop/PC/device. If you don’t know what your internet-facing (or public) IP address is, you can use something like What’s My IP Address.

Top tips for dealing with unusual traffic detected messages

1. Get an inventory. Do you have unknown devices on your network? There are many free applications that can do network scans. Another option is to deploy deep packet inspection (DPI) tools, which will passively detect what is running on your network.
2. Monitor traffic on your internet gateway. Watch out for things like network scans, traffic on unusual port numbers, and Tor traffic.
3. Track down the device using its MAC address. Network switches maintain a list of which MAC addresses are associated with which network switch ports.
4. See if your IP address is blacklisted. You can use something like IPVOID to see whether your IP address is known to black lists.
5. If you cannot find any issues, talk to your ISP. Maybe you need an IP change. IP addresses are recycled, so it could be that you were allocated a dodgy one. This is a remote possibility, so make sure you cover the first four tips first.

Please don’t hesitate to get in contact with us if you are having an issue with unusual traffic notifications. Our support team can help you quickly get to the root cause of issues associated with suspicious network traffic.

An intrusion prevention system (IPS) – sometimes referred to as an intrusion detection prevention system (IDPS) – is a network security technology and key part of any enterprise security system that continuously monitors network traffic for suspicious activity and takes steps to prevent it. Largely automated, IPS solutions help filter out this malicious activity before it reaches other security devices or controls, effectively reducing the manual effort of security teams and allowing other security products to perform more efficiently.

IPS solutions are also very effective at detecting and preventing vulnerability exploits. When a vulnerability is discovered, there is typically a window of opportunity for threat actors to exploit it before a security patch can be applied. An intrusion prevention system is used here to quickly block these types of attacks.

IPS appliances were originally built and released as stand-alone devices in the mid-2000s. This functionality, however, has been integrated into unified threat management (UTM) solutions for small and medium-sized companies as well as next-generation-firewalls at the enterprise level today. Next-generation IPS solutions are now connected to cloud-based computing and network services that enable them to provide a sophisticated approach to protect against ever-increasing cybersecurity threats facing local and global organizations worldwide.

How Intrusion Prevention Works

Unlike its predecessor the intrusion detection system (IDS) – which is a passive system that scans traffic and reports back on threats – the IPS is placed inline, directly in the flow of network traffic between the source and destination. Usually sitting right behind the firewall, the solution is actively analyzing and taking automated actions on all traffic flows that enter the network. These actions can include:

• Sending an alarm to the administrator (as would be seen in an IDS)
• Dropping the malicious packets
• Blocking traffic from the source address
• Resetting the connection
• Configuring firewalls to prevent future attacks

As an inline security component, the IPS must work efficiently to avoid degrading network performance. It must also work fast because exploits can happen in near-real time and be able to detect and respond accurately so as to eliminate threats and false positives (i.e., legitimate packets misread as threats). To do this successfully, there are several techniques used for finding exploits and protecting the network from unauthorized access. These include:

• Signature-based detection is based on a dictionary of uniquely identifiable patterns (or signatures) in the code of each exploit. As an exploit is discovered, its signature is recorded and stored in a continuously growing dictionary of signatures. Signature detection for IPS breaks down into two types:
  • Exploit-facing signatures identify individual exploits by triggering on the unique patterns of a particular exploit attempt. The IPS can identify specific exploits by finding a match with an exploit-facing signature in the traffic stream.
  • Vulnerability-facing signatures are broader signatures that target the underlying vulnerability in the system that is being targeted. These signatures allow networks to be protected from variants of an exploit that may not have been directly observed in the wild but also raise the risk of false positives.

• Anomaly-based detection takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation.
• Policy-based detection requires system administrators to configure security policies based on an organization’s security policies and network infrastructure. If any activity occurs that breaks a defined security policy, an alert is triggered and sent to the admins.

Types of Intrusion Prevention Systems

There are several types of IPS solutions, which can be deployed for different purposes. These include:

• Network intrusion prevention system (NIPS), which is installed only at strategic points to monitor all network traffic and proactively scan for threats.
• Host intrusion prevention system (HIPS), which is installed on an endpoint and looks at inbound and outbound traffic from that machine only. Often combined with NIPS, an HIPS serves as a last line of defense for threats.
• Network behavior analysis (NBA) analyzes network traffic to detect unusual traffic flows and spot new malware or zero-day vulnerabilities.
• Wireless intrusion prevention system (WIPS) simply scans a Wi-Fi network for unauthorized access and removes any unauthorized devices from the network.

Deep Learning for Evasive Threat Detection

To protect against the increase of sophisticated and evasive threats, intrusion prevention systems should deploy inline deep learning, which significantly enhances detections and accurately identifies never-before-seen malicious traffic without relying on signatures. Similar to the way neural networks function in our brains, deep-learning models go through several layers of analysis and process millions of data points in milliseconds. These sophisticated pattern recognition systems analyze network traffic activity with unparalleled accuracy, identifying never-before-seen malicious traffic inline with extremely low false-positive rates.

This additional layer of intelligent protection that can be used by an IPS solution provides further protection of business's sensitive information and prevents sophisticated attacks that can paralyze an organization.

To learn more about how IPS solutions work within a security infrastructure, check out this paper: Palo Alto Networks Approach to Intrusion Prevention.

Which of the following network security control is supposed to send an alert to the administrator if it finds unusual traffic in the network?

Which security component identifies suspicious traffic and attempts to stop it?

Which of the following is a way to detect nefarious activity using an administrative control?

What is IPS blocking?