Esc

Application Protocol Command Analysis

D3-APCA (Application Protocol Command Analysis)

Definition

Analyzing application protocol level remote commands to detect unauthorized activity.

How it works

This technique requires the ability to parse application layer protocols to understand the commands being sent to a remote service. Signature-based or statistical analysis may be employed to identify unauthorized commands being sent. These commands can be observed by monitoring network traffic or application logs.

loading...

Technique Subclasses

There are 2 techniques in this category, Application Protocol Command Analysis.

Name	ID	Definition	Synonyms
Application Protocol Command Analysis	D3-APCA	Analyzing application protocol level remote commands to detect unauthorized activity.
- Remote Firmware Update Monitoring	D3-RFUM	Monitoring of remote firmware update commands to identify unauthorized software installations.

loading...

References

All

Patent

The following references were used to develop the Application Protocol Command Analysis knowledge-base article.

(Note: the consideration of references does not imply specific functionality exists in an offering.)

Method and apparatus for detecting anomalies of an infrastructure in a network

Reference Type: Patent Organization: Nozomi Networks

Source:

https://patents.google.com/patent/AU2023200991A1/

Protocol based detection of suspicious network traffic

Reference Type: Patent Organization: Fortinet

Source:

https://patents.google.com/patent/US10084816B2/

D3FEND^™

A knowledge graph of cybersecurity countermeasures

−

Agent Authentication

Biometric Authentication

Certificate-based Authentication

Multi-factor Authentication

Password Authentication

Token-based Authentication

Application Hardening

Application Configuration Hardening

Dead Code Elimination

Exception Handler Pointer Validation

Pointer Authentication

Process Segment Execution Prevention

Segment Address Offset Randomization

Stack Frame Canary Validation

Credential Hardening

Certificate Pinning

Credential Rotation

Certificate Rotation

Password Rotation

One-time Password

Strong Password Policy

Change Default Password

Message Hardening

Message Authentication

Message Encryption

Transfer Agent Authentication

Platform Hardening

Bootloader Authentication

Disk Encryption

Driver Load Integrity Checking

File Encryption

Hardware-based Write Protection

Software Update

System Configuration Permissions

TPM Boot Integrity

Source Code Hardening

Credential Scrubbing

Integer Range Validation

Pointer Validation

Memory Block Start Validation

Null Pointer Checking

Reference Nullification

Trusted Library

Variable Initialization

Variable Type Validation

−

Dynamic Analysis

Emulated File Analysis

File Content Analysis

File Content Rules

Identifier Analysis

Homoglyph Detection

Identifier Activity Analysis

Identifier Reputation Analysis

Domain Name Reputation Analysis

File Hash Reputation Analysis

IP Reputation Analysis

URL Reputation Analysis

Message Analysis

Sender MTA Reputation Analysis

Sender Reputation Analysis

Platform Monitoring

File Integrity Monitoring

Firmware Behavior Analysis

Firmware Embedded Monitoring Code

Firmware Verification

Peripheral Firmware Verification

System Firmware Verification

Operating Mode Monitoring

Operating System Monitoring

Endpoint Health Beacon

Input Device Analysis

Memory Boundary Tracking

Scheduled Job Analysis

System Daemon Monitoring

System File Analysis

Service Binary Verification

System Init Config Analysis

User Session Init Config Analysis

Process Analysis

Database Query String Analysis

File Access Pattern Analysis

Indirect Branch Call Analysis

Process Code Segment Verification

Process Self-Modification Detection

Process Spawn Analysis

Process Lineage Analysis

Script Execution Analysis

Shadow Stack Comparisons

System Call Analysis

File Creation Analysis

User Behavior Analysis

Authentication Event Thresholding

Authorization Event Thresholding

Credential Compromise Scope Analysis

Domain Account Monitoring

Job Function Access Pattern Analysis

Local Account Monitoring

Resource Access Pattern Analysis

Session Duration Analysis

User Data Transfer Analysis

User Geolocation Logon Pattern Analysis

Web Session Activity Analysis

−

Access Mediation

Credential Transmission Scoping

IO Port Restriction

Network Access Mediation

LAN Access Mediation

Routing Access Mediation

Network Resource Access Mediation

Remote File Access Mediation

Web Session Access Mediation

Endpoint-based Web Server Access Mediation

Proxy-based Web Server Access Mediation

Operating Mode Restriction

Physical Access Mediation

System Call Filtering

Local File Access Mediation

Access Policy Administration

Domain Trust Policy

Local File Permissions

User Account Permissions

Content Filtering

Content Modification

Content Excision

Content Format Conversion

Content Rebuild

Content Substitution

Content Quarantine

Content Validation

File Format Verification

File Content Decompression Checking

File Internal Structure Verification

File Metadata Consistency Validation

File Metadata Value Verification

File Magic Byte Verification

Execution Isolation

Application-based Process Isolation

Executable Allowlisting

Executable Denylisting

Hardware-based Process Isolation

Kernel-based Process Isolation

Network Isolation

Broadcast Domain Isolation

Directional Network Link

DNS Allowlisting

DNS Denylisting

Forward Resolution Domain Denylisting

Hierarchical Domain Denylisting

Homoglyph Denylisting

Forward Resolution IP Denylisting

Reverse Resolution IP Denylisting

Encrypted Tunnels

Network Traffic Filtering

Inbound Traffic Filtering

Email Filtering

Outbound Traffic Filtering

−

Decoy Environment

Connected Honeynet

Integrated Honeynet

Standalone Honeynet

Decoy Network Resource

Decoy Public Release

Decoy Session Token

Decoy User Credential

−

Reissue Credential

Restore Network Access

Restore User Account Access

Restore Configuration

Restore Database

Restore Disk Image

Restore Software