Manualshelf

User Guide

ManualsBrandsAlcatel-Lucent ManualsOtherOMNIACCESS SAFEGUARD CONTROLLER
361362363364365366367368369370
OmniAccess SafeGuard OS Administration Guide
362
Chapter 10: Detecting and Isolating Malware Security Threats
Detecting and Quarantining Malware
The term malware is derived from malicious software, which is any program or file that is
harmful to a computer system. Common types of malware include computer viruses,
worms, Trojan horses and spyware.
SafeGuard OS stops malware from propagating past the edge switch. Not only can the
system detect malware, but it can stop an attack before network resources are impacted.
The system can create a “soft quarantine” for the infected device. This soft quarantine
achieves two goals. First, it blocks only the infected traffic but allows the end device to
communicate a carefully monitored connection to an IT server or Internet website for
automatic upload of the most recent anti-virus software or OS patch. Second, if the attack
is specific to a particular application, the SafeGuard device allows traffic from other
applications to continue unimpeded.
The SafeGuard Controller examines all traffic, identifying traffic anomalies and malware
infections. The device stops the attacks before they get to the core switch and shuts down
the application traffic without shutting down all the traffic from that device using
multiple detection mechanisms, such as:
Detecting deviations of usage behavior on a per-application basis
Detecting deviations of network access patterns for each host without the need of
daily signature updates
Detecting devices trying to reach computers that do not exist
Detecting devices trying to access services that are not available
Detecting IP scanning, port scanning and other reconnaissance activity by
infected devices
Monitoring the rate at which a particular application from a user is interacting
with the network
Detecting sudden and large changes in user usage of the network
Detecting zero-day attacks
Detecting Denial of Service (DoS) including SYN flood attacks, and ICMP flood
attacks.
Detecting IP source address spoofing
The system does detection and monitoring by analyzing the host and user behavior using
event-driven algorithms. Malware detection works by analyzing the rates of these
various events and by maintaining the state for each event on a per host or per user basis.
At each event, the state is verified against the profile and anomalies are reported to
OmniVista SafeGuard Manager.