Network Security Monitoring

The increased device interconnection as provided by IoT is unabated. With this technological change, there come advanced security issues and contemporary challenges as the attacks on networking systems and devices connected to the network keep increasing. The security of all individual devices and that of connected devices and systems across large networks is dependent on the availability of secure communication of the devices. There are many approaches aimed at increasing the security of communication among devices. One such approach is through network monitoring for any malignant activity in the network. Network security monitoring requires that a network is under surveillance from the outside so as to identify the emerging security issues both inside and outside the network (Sanders, Smith & Bianco, 2014). This is achieved through the use of networking tools that oversee the network and provide the person responsible with the network monitoring with the logs that can be used for troubleshooting and resolve issues when they occur.

The current network security monitoring tools and technologies offer high-level security. Network monitoring security is effective when the early signs of the attacks are caught before they do harm to the networking system. The general reliability and security of data networks are dependent on the proper security policies and posture. The DMZ provides a connection and a termination between the office network and the ICS network without allowing the direct flow of packets between the two. The nature of security issues facing the ICS network will, in essence, dictate the security measures that are to be deployed at the border of the two ends. Office network comprises all the normal equipment used in ICT such as personal computers, devices attached to the PCs and the WLAN.

In view of the security requirements at the boundary of the ICS, it is evident that the office network is more prone to intrusion because the employees connect to the network as they please using their PCs and therefore hackers can take advantage of these privilege to infiltrate the network system (Sanders, Smith & Bianco, 2014). The other side of the DMZ is the ICS network which represents a restricted network environment and which has anomaly detection capabilities. This is different for distributed networks as they require additional infrastructure for effective management of the network. The level of observation is another determining factor for the allocation of resources necessary for the observation and management of a network. NSM typically requires the application of different tools and resources for its effective management.

One such example of tools is the security Onion Linux distribution which consists of sensors for the network such as Snort and Bro, ELSA, log handling tools and other tools necessary for NSM. The distribution is vital in the system configuration to be used both in the distributed system and the standalone system. In this discussion, we focus on the intrusion detection for a network. Intrusion detection system is primarily for detecting if there is an attempt to breach the security of a network. It works with other network defense systems like the firewall for effective intrusion detection and prevention. The IDS monitors the computer systems in the organization and the network traffic to ascertain the extent of an attack. It detects bot attacks from outside the organization and attacks from inside from employees and other members of the organization (Goldenberg & Wool, 2013).

The network IDS has two interfaces namely the management interface for facilitating communication between the management console and the sensor while the other is the promiscuous mode for the sensor to management console communication and is not manageable. The networking segment that is being monitored is connected through the monitoring interface. The sensor is responsible for monitoring all the packets crossing the network segment and applies attack signatures for the knowledge base to identify incidences like the previous attacks. If the sensor matches the attack to a previous signature, it takes appropriate action including nothing the management through an alarm or an email alert. Figure 1: intrusion detection system From the above diagram, the management interface is in direct communication with the management VLAN.

The third advantage is the ability to retain evidence. The NIDS works on a real-time basis and thus detects attacks as they occur. The data it captures in the process is stored in the database which can also be used in forensic analysis to determine the extent of such an attack and the future approach to deal with such an attack if it happens. NIDS is easy to deploy and does not alter the working of the existing network infrastructure. The nature of NIDS is that it is operating system independent. The best approach is the HUB based network where the host can see and monitor all the packets from all the ports. Anomaly Detection with Machine Learning Techniques Anomaly detection refers to the detection of behaviors and patterns in data that does not conform to the expected pattern and behavior.

For network monitoring, anomaly detection refers to the process of detecting network conditions or states that are different from the historically expected network behaviors. Anomaly detection is divided into four major categories namely the rule-based pattern matching based anomaly detection, finite state machine based anomaly detection and statistical analysis based approaches for anomaly detection (Callegari, Coluccia, D’Alconzo, Ellens, Giordano, Mandjes, Pagano, Pepe, Ricciato & Zuraniewski 2013). The rule-based approaches are normally very expensive as they require a lot of resources for effective performance and does not operate in real-time thus resulting in the slow performance of the system. Anomalies can be categorized into three main types namely, point anomalies, contextual anomalies, and collective anomalies. Point anomalies are considered as being anomalous with reference to the available data (Adler, Mayhew, Cleveland, Atighetchi & Greenstadt 2013).

Contextual anomalies occur within a specific context such as in a specified time. Collective anomalies occur when there is a variation in the collection of a certain data compared to the rest of the data of the same type. The two main variations comprise of events that occur in an unexpected order and unexpected value combinations. Anomaly detection systems grow with the network. This is a key strength as it allows the Network Operation Centers to customize their security system depending on the prevailing demands of the season. Even as threats grow in sophistication and number, the anomaly detection systems can discover the anomalies, understand the threat and recommend preventive methods against such attacks. This strength is achieved by use of machine learning algorithms and techniques.

Challenges Associated with Anomaly Detection One main challenge associated with anomaly detection systems is the lack of accuracy under heavy traffic loads, especially on flow-based systems. With the continuously changing ICS network needs, this paper emphasizes further research on this area to establish better machine learning techniques that will enhance anomaly detection activities. References Adler A, Mayhew M, Cleveland J, Atighetchi M & Greenstadt R (2013) Using machine learning for behavior-based access control: Scalable anomaly detection on TCP connections and HTTP requests. Proc. Military Communications Conference, MILCOM 2013 - 2013 IEEE, 1880–1887. Alcaraz C, Roman R, Najera P & Lopez J (2013) Security of industrial sensor network-based remote substations in the context of the internet of things. , Smith, J. , & Bianco, D.  Applied network security monitoring. Waltham, MA: Syngress.