Relay Pattern Analysis
Definition
The detection of an internal host relaying traffic between the internal network and the external network.
Synonyms: Relay Network Detection .How it works
A relay may use a variety of proxying, forwarding, or routing technologies to bridge a protected network with an external network. A defensive analytic to detect a relay network may compare the network sessions among multiple hosts. Hosts which have nearly similar network statistics may be part of a relay network. The statistics may include number of bytes sent to and from, time of session initiation, packet size, or packet arrival time data.
Considerations
Complex intranet VPNs or routing encapsulation may affect the detection analytics. In addition, unwanted packets might not be forwarded, and additional packets may be added at the relay, further complicating detection.
References
The following references were used to develop the Relay Pattern Analysis knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Malicious relay detection on networks
MITRE Comments
This patent describes a technique for detecting relay networks, i.e. an attacker outside of the organization's network takes control of an internal host to be used as a source of attacks against other internal targets or exfiltrate data out of the organization. In this defensive technique, metadata from collected network packet captures is extracted to categorize network sessions using known relay behaviors. Information such as the number of bytes sent to and from a potential internal relay host, time of session initiation, packet contents, packet size, flow direction, and packet arrival time statistics are used to categorize the sessions and identify relay behavior. This technique assumes that relay network connections' inter-packet arrival times exhibit a high degree of variance in comparison to standard client-to-server connections. If enough evidence of relay behavior is gathered about a given internal host, the host is identified as suspicious and an alert is generated.