26 Architecture
About the core architecture
Network
Traffic
External
Sources
About detection
Figure 2-1
Core Architecture of Symantec Network Security
Protocol Anomaly
Detection
Stateful Signatures
User-defined
Signatures
DoS Detection
Scan Detection
EDP
Detection
This section describes the following topics:
About detection
■
About analysis
■
About response
■
Symantec Network Security uses multiple methods of threat detection that
provide both broad and deep detection of network-borne threats. These include
Protocol Anomaly Detection (PAD), traffic rate monitoring, and network pattern
matching, or signature-based detection.
Each of these methods has strengths and weaknesses. Signature-based
approaches can miss new attacks; protocol anomaly detection can miss attacks
that are not considered anomalies; traffic anomaly detection misses single-shot
or low-volume attacks; and behavioral anomaly detection misses attacks that
are difficult to differentiate from normal behavior.
Symantec Network Security combines multiple techniques and technologies
into a single solution. In addition, it adapts to the changing threat landscape by
adopting new techniques and technologies that improve upon or replace
existing ones.
Analysis
Response