Protocol anomaly detection
Definition
A detection method that compares observed network traffic against the formal specification of each protocol (its RFC or standard) and flags fields that hold values outside the defined valid range or carry non-zero content where zero is mandated.
Related terms
- Covert channel
- Any communication path that was not intended by the system designer and that bypasses access-control or monitoring policies. Network covert channels are...
- DNS tunnelling
- Encoding data inside DNS queries and responses to exfiltrate information or carry command-and-control traffic through a network that permits DNS but blocks...
- Entropy analysis
- A statistical technique that measures the randomness of data in a field or stream. Protocol fields that should contain low-entropy predictable values...
- Storage channel
- A covert channel that encodes information in the value of a protocol field, such as the IP Identification field or a DNS...
- Timing channel
- A covert channel that encodes information in the intervals between network events, such as inter-packet delays, rather than in packet content. Timing...
Explained in
- Network Steganography and Covert ChannelsA detection method that compares observed network traffic against the formal specification of each protocol (its RFC or standard) and flags fields that hold va...