How Deep Defense and Log Analysis Can Thwart Intrusions

Overview

Google’s BeyondCorp initiative aims to eliminate the distinction between internal and external networks, assuming that internal networks are as risky as the Internet because once the perimeter is breached attackers can easily access internal applications, and because mobile and cloud adoption makes perimeter protection increasingly difficult.

If the internal network boundary is compromised, attackers can quickly reach internal services.

With widespread mobile and cloud usage, treating internal and external traffic uniformly simplifies security.

Therefore, both internal and perimeter security must be addressed.

1. Principle

An analogy with a kidnapping case shows that logical inference can reveal hidden activity when direct monitoring is unavailable, similar to how deep defense and diversified monitoring points can greatly reduce security risk.

Having layered defense and systematic monitoring creates many detection points, dramatically lowering the chance of successful intrusion.

Deep defense for a host involves monitoring network traffic, processes, files, command execution, and system events to uncover most intrusion behaviors.

Typical attack steps start with reconnaissance such as network, port, and vulnerability scanning, followed by exploitation of weaknesses like unpatched vulnerabilities or weak passwords.

Network anomalies, e.g., a host generating a flood of port requests, indicate scanning.

Host anomalies, e.g., numerous failed login attempts, indicate password‑guessing attacks.

Compromised hosts may upload malicious files, create hidden accounts, initiate illegal outbound connections, or run disguised processes.

2. Technical

Below are useful Linux scripts for host‑level monitoring.

1. Process Monitoring

The script parses

ps aux

output, formats, sorts, deduplicates, and filters out system processes.

2. Port Monitoring

The script uses

ss -ntu

to list IP and port information, excludes localhost connections, and formats the output.

3. Command Audit

The script extracts command history, formats it, and sends it via syslog for real‑time auditing of user command activity.

4. System Events

Typical events are recorded in

/var/log/secure

, such as successful or failed logins.

Jan 1 11:29:45 localhost sshd[29778]: Accepted password for secisland from xx.xx.xx.72 port 14630 ssh2 Jan 1 11:29:45 localhost sshd[29778]: pam_unix(sshd:session): session opened for user secilog by (uid=0) Jan 1 11:29:45 localhost sshd[29778]: subsystem request for sftp by user secilog Jan 1 11:29:45 localhost sshd[29778]: pam_unix(sshd:session): session closed for user secilog

5. Upload/Download Logging

Enable SFTP logging in the SSH daemon and forward logs to syslog.

#vi /etc/ssh/sshd_config

Subsystem sftp /usr/libexec/openssh/sftp-server

#LogLevel INFO

vi /etc/rsyslog.conf

local0.* @ip

6. File Change Monitoring

Use Linux’s inotify mechanism to watch file creations, modifications, deletions, moves, and attribute changes.

<code>nohup ./inotifywait -c -rme create,modify,delete,move,attrib,delete_self /home /etc &</code>

The modified inotify tool (SeciInotify) adds syslog output.

<code>https://github.com/zhulinu/SeciInotify</code>

Conclusion

Implementing a deep defense architecture that continuously analyzes network, process, command, file, and upload/download behavior enables early detection of intrusions and significantly reduces risk; leveraging log‑analysis platforms such as Splunk, ArcSight, Secilog, or the ELK stack further improves efficiency.