Linux anomalous network activity

Goal

Detects network activity caused by processes that occur rarely compared to other processes, using a rare function that detest values that occur rarely on time or rarely for a population.

Description

Models the occurrences of processes that cause network activity. Identifies OS processes that do not usually use the network but have unexpected network activity, which can indicate command-and-control, lateral movement, persistence, or data exfiltration activity.

A process with unusual network activity can denote process exploitation or injection, where the process is used to run persistence mechanisms that allow a malicious actor remote access or control of the host, data exfiltration, and execution of unauthorised network applications

Characteristics

Name

Linux anomalous network activity

Type

Network

Data source

Linux logs (agent)

Required fields

destinationAddress

hostName

processName

userName

action

PreviousDetection Models NextWindows anomalous network activity

Last updated 3 months ago