IPC Traffic Analysis
Definition
Analyzing standard inter process communication (IPC) protocols to detect deviations from normal protocol activity.
Synonyms: IPC Analysis .How it works
Inter process communication enables applications or threads to share data. This can involve one or more computers. Monitoring IPC in your environment can reveal abnormal or malicious activity. IPC can occur within a single computer or between multiple computers remotely through network protocols. Thus there are multiple ways to collect and monitor these exchanges between processes. A network protocol analyzer may monitor and parse SMB network traffic to record system activity. A host based monitoring agent may monitor IPC activity contained within a single host to look for deviations from standard usages.
Examples
- SMB
- Zeromq
- Java RMI API
Considerations
- IPC can generate substantial amounts of data, and it may not be feasible to collect all of it.
- IPC may occur over loopback interfaces or direct memory access granted by the operating system.
References
The following references were used to develop the IPC Traffic Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
CAR-2015-04-001: Remotely Scheduled Tasks via AT
CAR-2013-05-005: SMB Copy and Execution
CAR-2013-01-003: SMB Events Monitoring
CAR-2013-09-003: SMB Session Setups
CAR-2014-03-001: SMB Write Request - NamedPipes
CAR-2013-05-003: SMB Write Request
Security System with Methodology for Interprocess Communication Control
MITRE Comments
This patent describes a technique for monitoring interprocess communications to prevent malicious applications from requesting system services. API calls are monitored to detect malicious applications attempting to open a communication channel (port) to access system services or sending messages to other applications using user32 API functions. These requests are examined against an external rules engine or whitelist, matches deny or block access and produce an error message such as connection refused or service not available.