I pre­vi­ous­ly out­lined three strate­gies for detect­ing intrud­ers on your net­work with­out the need for a large cap­i­tal expense for spe­cial­ized sys­tems. In fact, you don’t even need a man­aged ser­vice provider.

Now, as promised, here are three more ways:

1. Using time stamps and the geolo­ca­tion of the source IP address­es, look for sim­ple irreg­u­lar­i­ties in log-ins and access pat­terns. The most obvi­ous would be an account that is log­ging in from two coun­tries so close togeth­er in time that it’s unlike­ly they are both legit­i­mate. You can access geolo­ca­tion data for free or low cost.
2. When the HTML response sizes leav­ing your net­work are much larg­er than usu­al, that’s a sign you’ve prob­a­bly been the vic­tim of a SQL injec­tion attack.
3. Final­ly, watch for out­bound web traf­fic where 30 or 40 brows­er win­dows are open­ing all at once. This kind of behav­ior is more like­ly a sign of an auto­mat­ed ses­sion rather than a human one.

Will you have false pos­i­tives? Yes. But you’ll also under­stand what’s con­sid­ered nor­mal on your net­work much bet­ter than you do today.

Do you have any low-cost, yet auto­mat­ed, strate­gies for net­work intru­sion detec­tion?