Analysis of Processes, Services, and Ports

Process analysis is aimed at checking to determine whether the actions performed by the processes correspond to the intended ones that were implemented by the developers (here, I do not take into account self-modifying systems, such as those based on genetic algorithms, for example). A process with behavior that does not correspond to its design and intent might indicate potential security policy violations. The investigation of processes is a rather complicated and time-consuming problem, which requires high qualifications, skill and a large amount of resources. The level of process investigation depends on the amount of information on normal process behavior that you have at your disposal. Generally, you need to search for the following data:

• Absent processes

• Additional processes (for example, the presence of the patch.exe process in Windows-based operating system is evidence that the NetBus "Trojan" server component is running on that computer)

• Unusual behavior by the process or resource

And so on… Because of the large number of processes and rapid changes that are characteristic for the majority of them, constant control of the system does not make sense. Furthermore, the amount and contents of the information that you can gather during this process are too large to be stored. This means that it is necessary to use automated mechanisms to simplify the tasks of gathering data and controlling processes. In multi-user systems, for displaying the current state of processes and tracking information on these processes for short time intervals, you can either use the OS built-in capabilities (for example, Task Manager for Windows NT/200 or ps for Unix) or install third-party software, such as solutions supplied by SysInternals.

There are several sources of information that can help you when analyzing processes:

• Log files of specific programs, containing the following information:

  • Data on the programs (who started the specific program and when, how long did it run and which resources it accessed)

  • Attempts to logon or establishing network connections

  • Attempts to access protected data and resources

• Results of running programs, which provides the following information:

  • The current state of system processes

  • The Configuration of resources and devices on your computer

  • Which resources and devices are currently used by processes, and how they are used

  • Files that are currently opened by the processes

  • The program state and activities related to the currently opened network connections

• System and network monitoring programs, which indicate that they have detected one of the following:

  • Unexpected labels and resource types used in the system

  • Attempts to logon using a privileged user account

  • Attempts at accessing important system files or protected resources

  • Unexpected labels and types of network traffic

  • Network interfaces working in promiscuous modes

  • Other unexpected changes in hardware configuration