Question

Why is wireless frame analysis is important to cybersecurity? Provide all of the details.

Answer 1

Network flow data is aggregated packet header data (but no content capture) for a communication between a source and a destination. Communications are distinguished by the protocol-level information in the header and the proximity in time (i.e., a flow contains aggregated header information for all packets that use the same protocol settings within a designated time window). There are several reasons that network flow data is a useful format for analyzing network traffic:

The lack of specific details regarding the content of a specific piece of traffic makes the collection of network flow highly concise. Network flow enables analysts to record the presence of a communication in a very small footprint, which means the data can be collected economically across a large network and stored for months to years (and also limits or eliminates personally identifying information [PII]).

Network flow contains sufficient indicative information to allow network defenders to perform a variety of analyses to search for threats or context information that can help defenders understand what is going on. For example, when examining web traffic, network flow data would contain the source and destination IP addresses involved, the amount of data sent, the number of packets, and the time duration of the communication.

Most web traffic from server to client is quick, with high byte volume and relatively modest numbers of packets (since the server is sending relatively full packets to the client). If traffic from server to client involves more modest byte volumes and higher numbers of packets over a longer timeframe, then it can be questioned as to whether it is normal web traffic. If such abnormal flows occur in patterns outside of normal workday patterns, then suspicions would be raised further. On the other hand, network defenders and analysts must have enough context to identify key websites for users and make sure that they are not blocked.

Network flow can also be used to identify a likely source of a spam email within a five-minute window of its arrival on a network and implement remediation. For example, a rolling block can reduce spam traffic by as much as 75 percent by rapidly blocking out the source IP address, even for short periods of time.

No matter which approach a defender uses, network attackers are often good at hiding behaviors with respect to any single data source. For example, if network attackers have styled their attacks so that they can't be detected through antivirus software or common IDS rules, analysts must then rely on network flow analysis, changes in service behaviors, or log file entries. Figure 1 below shows a visualization of a fictitious attack, merging IDS alerts (which produced the attack labels on the hosts), network population information (which produced the presence or absence of hosts at an IP address) and network flow data (which produced the traffic volume timelines shown on network links). Such a visualization can aid in both understanding and responding to attacks.

Referred from Cisco's Visual Networking Index report.