Introduction to Intrusion Monitoring System

xiaoxiao2021-03-06 51

Introduction to the first class intrusion monitoring system

Intrusion Monitoring Technology is a technique that is designed and configured to ensure the safety of computer systems and the unauthorized or abnormal phenomenon in time, is a technique for monitoring violations of security policies in computer networks. Intrusion monitoring systems identify any undesirable activities, this activity may come from outside the network and inside. The application of intrusion monitoring system can monitor intrusion attacks before the intrusion attack is harmful to the system, and use the alarm and protective system to expel the intrusion attack. During the invasion attack, the loss caused by the invasive attack can be reduced. After being invaded, the relevant information of the intrusion attack is collected. As the knowledge of the prevention system, add it into the knowledge base to enhance the system's prevention capabilities.

Typical IDS system models include three functional components:

1. Provide information source for event recording stream

2. Analysis engine for finding signs

3. Response parts reflected based on analysis results of the analysis engine

The current IDS acts as an important part of the overall network of network security, needs to be tightly associated with other security devices to jointly solve network security issues. Perhaps the future IDS needs a new system system to overcome the shortcomings of themselves, but currently can only be organically integrated with other functional modules of IDs. Together to solve the security problem of the network, this requires the introduction collaboration.

Data collection collaboration

Intrusion monitoring needs to collect dynamic data (network packets) and static data (log files, etc.). Network-based IDS, only monitoring the network layer through the original IP packet, can not meet the growing safety needs. Based on host IDS, it is difficult to find network attacks from the underlying network by directly viewing user behavior and operating system log data.

Current IDS collects the acquisition, analysis of the network packet, and analyzes the acquisition of the log file, even if it is a network and host-based IDS, it is not considered in the correlation between the two types of raw data. In addition, on the acquisition of the network packet, IDS has always been to obtain data by sniffing this passive manner, and it cannot be recovered once a data package is lost. Moreover, future networks are all exchanged networks, and the network speed is getting faster and faster, and many important networks are encrypted. In this case, the collection of dynamic data for network data packages is more difficult. Therefore, it is a primary condition for improving intrusion monitoring capabilities in data acquisition.

There are two important aspects: data collection collaboration:

1. Coordination of IDS and Vulnerability Scanning System: Vulnerability Scanning System features a complete vulnerability library, scanning individual hosts in the network, giving a comprehensive report for the network, operating system, and running apps existing in the host. Then propose a loophole auction method and eventually gives a risk assessment report. One aspect of the synergy of IDS and scanning system can utilize scanning results of the scanning system to do have a number of vulnerabilities in the current network or system and applications, and then use the scan results to modify the warning policy, so as can be as possible Reduce false positives, and it is also possible to make an alarm implicitly in the normal behavior. On the other hand, IDS can also utilize the analysis of daily alarm information, modify the scanning policy of the vulnerability scanning system, and make an appointment scan, which may be timely prevention of the vulnerability that may be attacked. On the other hand, the vulnerability scanning system can also utilize the alarm information of IDs, and see if some hosts perform specific vulnerabilities, see if the vulnerability is really existed, if there is a report, it is necessary to block a message.

2. The synergy of IDS and antivirus system: On the one hand, the IDS may make a warning according to certain features, but because the IDS itself is not an anti-virus system, whether the host in the network is true Attacks that are being subjected to computer viruses, not very accurate forecasting. At this time, the anti-virus system has used martial arts, which can be verified to the IDS virus alarm information, and appropriate processing of host systems that have been attacked by viral attacks. . Data analysis collaboration

Intrusion Monitoring not only needs to utilize pattern matching and abnormal monitoring techniques to analyze the data collected by a monitoring engine to discover some simple intrusion behavior, but also need to utilize data mining technology to analyze the audit data submitted by multiple monitoring engines on this basis. To find more complex intrusion.

In theory, any network invasion can be found because network traffic and host logs record intrusion activities. Data analysis collaborative needs to be performed on both levels, one is to collaborately analyze the data collected by a monitoring engine, integrated monitoring technology to discover more common, typical attack behavior; second, the audit from multiple monitoring engines Data, using data mining technology to analyze to discover more complex attack behavior. The assessment IDS data analysis capabilities can be carried out three aspects regardless of accurate, efficiency and usability. Based on this, it can be considered that the monitoring engine is the best place to complete the first data analysis collaboration, and the central management control platform is the best place to complete the second data analysis.

When the monitoring engine faces not a single data, it is very important to integrate various monitoring techniques. From the characteristics of the attack, some attack methods use abnormal monitoring to monitor, and some attack methods are simply monitored using pattern matching. Therefore, for the design of the monitoring engine, we must first need to determine the monitoring strategy, which identifies which attack behavior belongs to the category of abnormal monitoring, which attacks belong to the scope of pattern matching. The central management control platform performs more advanced, complex intrusion monitoring, which faces audit data from multiple monitoring engines. It can be "correlated" analysis on network activities in various regions, and its results are supported for the next time period and monitoring engine. For example, hackers often use various detector to analyze vulnerable vulnerabilities on the most vulnerable hosts and hosts in the network, during formal attacks, because hackers' "attack preparation" activity record has been recorded. Therefore, IDS can make judgments on this attack activity in a timely manner. Currently, more methods discussing on this level are data mining techniques, which detects invasion by the correlation between audit data, and can monitor new offensive methods.

The University of Columbia proposed a real-time intrusion monitoring technology based on data mining, which proves that data mining techniques can be used for real-time IDS. Its basic framework is: first extracting features from audit data to help distinguish between normal data and attack behavior; then use these features for pattern matching or abnormal monitoring models; then describing an artificial abnormal production method to reduce abnormal monitoring algorithms Mrror report rate; finally provides a method of combining mode matching and abnormal monitoring models. Experiments show that the above method can improve the monitoring rate of the system without reducing the performance of any monitoring model. Based on this technology, real-time IDS for data mining is implemented by the engine, monitor, data warehouse, and model, as shown in the figure. Among them, the engine observes the original data and calculates the characteristics of the model assessment; the monitor acquires the data of the engine and uses the monitoring model to evaluate whether it is an attack; the data warehouse is used as the center storage of data and models; the main The purpose is to speed up development and distribute the speed of new intrusion monitoring models. Response coordination

The previous discussion, since the position of IDS in the network determines that its own response ability is quite limited, the response is integrated with network devices or network security devices with adequate response power, constitute a comprehensive security system for response and early warning complementarity . The response is mainly included in several aspects below.

1. The synergy of IDS and firewall:

The firewall and IDs can be well complementary. This complementarity is reflected in two levels of static and dynamic. The static aspect is that IDS can make more effective analysis of security events on the network by understanding the policies of the firewall, thereby achieving accurate alarms, reducing false positives; The established connection is effective to block while notifying the firewall to modify the strategy to prevent potential further attacks.

2. Ids and routers and switches

Since the switches and router firewalls are generally connected to the network. At the same time, there are predetermined strategies, which can determine the data stream on the network, so the synergy between IDs and switches, the collaboration of the router is very similar, all have a dynamic and static, and the process is roughly the same, which is not detailed. Discussion.

3. Collaboration between IDS and antivirus systems

The synergy of IDS and antivirus system has been discussed in the data collection collaboration, but in fact for antivirus systems, check and kill are indispensable two aspects, and there is data collection in the check level, in killing The level has a responsiveness. If IDS can also block the established connection by sending a large number of RST packets, some extent replace the firewall's response mechanism, it is simply unable to prevent computer suffering from virus attacks, currently due to network virus attacks account for all attacks. The proportion is increasing, and the synergy of IDS and antiviral systems is becoming more and more important.

4. IDS and honeypots and filling unit systems

Some tools can be supplemented as IDS, because their functionality is similar, and the seller often expresses them as IDS. However, in fact, the functions of these tools are quite independent, so they do not discuss them as part of the IDS. Instead, by briefing its functions, it is introduced to how these tools are synergistic to IDS, and jointly enhance an organization's intrusion monitoring capabilities.

Honeypot: It is trying to attract attackers to konize the system from key systems. These systems are full of information that looks useful, but this information is actually fabricated, honest users are not accessible. Therefore, when monitoring the "honeypot" access, it is likely that an attacker is inserted. The monitor and event logging on the "honeypot" monitors these unauthorized access and collect information about attacker activities. The purpose of "honey tank" is to bring attackers from key systems, and collect attackers' activity information, and the attacker stays on the system to respond for administrators.

With this ability to use "honey tank", on the one hand, you can provide additional data for IDs. On the other hand, when IDS finds an attacker, you can introduce an attacker into a "honeypot", prevent attackers from harming, and collect attacks Information. "Fill Unit" takes another different way. "Fill Unit" does not attempt to attract attackers with the induce data, and it waits traditional IDS to monitor attackers. The attacker then seamlessly passes to a specific fill unit host. An attacker will not realize what happens, but an attacker will be in an analog environment without any injury. Similar to "honeypots", this simulation environment will make people interested in data, so that attackers believe that attacks are working according to plan. "Fill Unit" provides a unique opportunity for monitoring attackers.

Conclude

Later, the entire safety system described herein

The above discussion is to illustrate that IdS needs to be collaboited, while all other security tools need to be collaborative, and these tools and equipment are well synergy may be an answer on how to ensure information security. We can regard all of these collaborative tools or equipment as a safety tool, as for this system called integrated IDS or other names. The key is that it guarantees that our information has relatively safe. Sex.

As complex homes, security systems may include intermittent activities in the camera, detector and monitoring equipment, such as those who have not yet intrudated, intrusion monitoring system (IDS) will also warn potential security in the IT system admin network environment boundaries. Threate. Like other traditional security techniques absorbed by more extensive IT security, intrusion monitoring systems have become a necessary condition for security solutions in the past five years.

However, the problem of invasive monitoring technology is that they have the same severe defects with other traditional security techniques: the reaction is passively. This kind of strategic system is considered to be thoughtful, regardless of independent implementation or combined with other technologies, a series of security attacks that often happen repeatedly: the existence of the gap may cause network resources to be destroyed.

Network and host-based intrusion monitoring systems are generally widely available. First, always say that it is not possible to adapt to huge, high speed, and complex networks. Secondly, the implementation and monitoring of such systems will add management burden to IT staff. In addition, traditional IDS technology will actually bring obstacles to networks and user activities, which affects performance, which eventually leads to incompatible management burden and frustration.

Although the security personnel have done their best, the internal computing resources within the enterprise are suffering every day. The proliferation of the attack is as fast as the speed of accessing other resources on the Internet. In this regard, the application-centric invasion prevention provides a new solution to protect today's huge network and enterprise environments. Intrusion Prevention Technology is the core of any safety model taken by active measures, and this type of scheme is thus obtained to pay attention to application and operating system security and resource availability. In addition, behavioral implementation strategies in invasive safety environments have adopted an overall analysis of the continuous development of attacks. As a result, the active defense mechanism based on application behavior can prevent important documents and network assets from being damaged.

The invasive prevention has a significant advantage, it is precisely because it reduces the burden of enterprise safety management. Unlike traditional intrusion monitoring products, intrusion prevention is actually protected from internal resources from attacks from internal resources: limits the behavior that may have destructive code does not hinder business operations, provide attack records, and once the attack Notify the business security personnel. In addition, high-performance level intrusion prevention technologies can be hit by network-based attacks, such as denial of service, detection, malformation packets, and hostile connection attacks. In order to fully provide truly effective protection for computing resources, network security managers cannot alternately rely on discovering known attacks or their changes. New methods for intrusion prevention define appropriate behaviors, and then implement these behaviors per end user desktop system and network server within the enterprise. What is the just behavior? We don't have to browse this article, you know: If a user receives an e-mail, immediately try to send the email to each contact listed on the user address book, then this is not just right. Similarly, if you are from a web browser, a mail software, or a Microsoft Office program group attempt to write to a Windows NT system file, this is not just right. Specifically, this is likely to be a macro virus. Intrusion Prevention is to monitor the behavior of system and application, and define which behavior is justified, which behavior is suspicious, so once attempting to make a range of persons than expected behavioral scope, the intrusion prevention technology will first send the system to eliminate improper systems behavior.

This high-performance intrusion prevention system can benefit IT administrators as long as set rules to control applications. As a smart agent, the intrusion prevention system will operate without sound: intercept system behavior, verify policy, and then allow or reject relevant behavior based on these policies. In addition, some highly structured intrusion prevention systems provide pre-set rules to protect web servers, mail servers, and provide general end user desktop protection.

Finally, the statistical log data can be used to generate a report that indicates the overall operation of the network. If this report is used, the IT personnel can monitor the work of the rule set, and if necessary, adjust can be adjusted. Whenever some people find a particular behavior to access the resource resource resource, this report will be recorded in the log.

Intrusion Monitoring System Combined with Vulnerability Assessment Tools is an ideal tool for reviewing and discerning it, such systems cannot prevent damage. In order to more clearly understand how intrusion prevention is further more than traditional IDS, it is actually destroyed by the attack, and you may wish to see Trojm Horse Attack.

On the surface, Trojan horse attacks don't seem hazard - it is like a useful background process. However, such attacks typically hide the destructive procedure, which may eventually destroy or modify files, or may be to establish a rear door entry point to invade people access systems. The network-based IDS found the attacked attacks in the file. The host-based IDS system may be able to analyze the review and event logs. Find the evidence that may indicate unauthorized access to the attempt, but the authorization access attempts to carry the vicious code that are sent to "security" information may slip off.

Prevention of e-commerce applications or website content is critical to protecting today's open network. For those who face attacks, security measures to be prevented in response to environmental, existing intrusion prevention technology has played a role in replacement strategies.

We have already contacted a manual and automatic scanning program. These tools are very useful during the audit process. You also use the bag sniffer, which is another tool for determining which activity types exist in the network. Intrusion monitoring systems will cause your attention in both aspects. First, this kind of protection network has become more and more popular. You need to understand the current structure of the network to determine if the configuration is appropriate. Second, you may be recommended in this product, so you have to know how to recommend this product for a special network situation. You can use multiple types of tools during the test. These tools are essential during the entire audit process. They will help you save time during a boring analysis process.

What is intrusion monitoring

The intrusion monitoring system is in real time monitoring network activity after the firewall. In many cases, the intrusion monitoring system is a continuation of the firewall due to the record and disabling network activity. They can work with your firewall and router. For example, your IDS can reconfigure malicious traffic from the firewall outside the firewall. You should understand that the intrusion monitoring system is working independently of the firewall.

The invasive monitoring system IDS is different from the system scanner System Scanner. The system scanner is based on the attack feature database to scan the system vulnerability, it is more concerned about the vulnerability on the configuration instead of the traffic currently entering and exiting your host. This attack cannot be identified even on the host that is attacked.

IDS scans the current network activity, monitoring, and logging traffic, filtering the traffic from the host network to the network cable according to the defined rules, providing real-time alarms. The network scanner monitors the previously set vulnerabilities on the host, while IDS monitors and records network traffic. If you run IDS and scanners on the same host, a reasonable IDS will issue a lot of alarms.

Intrusion monitoring

Most IDS programs provide a very detailed analysis of network traffic. They can monitor any defined traffic. Most procedures have default settings for FTP, HTTP, and Telnet traffic, and other traffic images, local and remote login failures, and more. You can also customize your own strategy. Some more common monitoring techniques are discussed below.

Network traffic management

Like Computer Associates' ETRUST INTRUSON Detection, IDS programs such as Axent Intrudion Wall, Axent Intruder Alert, and ISS RealSecure allow you to record, report, and disabilities almost all forms of network access. You can also use these programs to monitor a network traffic of a host, eTrust Intrusion Detection can read the web page that the user last accessed this host.

If you define policies and rules, you can get FTP, SMTP, Telnet, and any other traffic. This rule helps you have traveled the connection and determining what happened on the network, what is happening now. These programs are very effective when you need to determine the consistency of policies in the network.

While IDS is a very valuable tool for security managers or auditors, the company's employees can also install programs like eTrust Intrusion Detection or Intrude Alert to access important information. Attackers can not only read unencrypted messages, but also sniff the password and collect important information about important protocols. So, your primary job is to check if there are similar programs in the network.

System scan, jails and ids

Earlier in this tutorial, you learn how to apply different strategies to enhance effective security. This task needs to perform controls in different parts of the network, from the operating system to the scanner, IDS program, and firewall. You have used the system scanner, and many security experts combine these programs and IDs. System integrity check, extensively record logs, hacker "prisons" and inducers are effective tools that can cooperate with Ids.

track

Ids can not only record events, but it can also determine where event occurs, this is the main reason for many security experts to buy IDS. By tracking sources, you can learn more about the attacker. These experiences can not only help you record the attack process, but also help to determine solutions. Necessity for intrusion monitoring system

The firewall seems to meet all the needs of the system administrator. However, as an employee-based attack behavior and product itself have increased, IDS is becoming more and more necessary due to monitoring illegal activities inside the firewall. New technologies also brought serious threat to the firewall. For example, the VPN can penetrate the firewall, so Ids need to provide security after the firewall. Although the VPN itself is safe, it is possible to communicate with the VPN by the root kit or NetBus, and this destruction behavior is that the firewall cannot be resistant to. Based on the above two reasons, IDS has become an important part of security strategy.

We also need to note that an attacker can implement an attack to overload the IDS, and the result may be a participant in the IDS system becomes a reject service attack. Moreover, the attacker will try to adjust the attack technique, so that IDS cannot track activities on the network.

Architecture of intrusion monitoring system

There are two archs of two architectures available, each with its applicable environment. Although the host-level IDS has a stronger function and provides more detailed information, it is not always the best choice.

Network-level IDS

You can use the network-level product, like Etrust Intrusion Detection, just one installation. Program (or service) scans information about all transmission in the entire network to determine real-time activities in the network. The network-level IDS program simultaneously acts as a manager and agent, installing the IDS host to complete all the work, the network is just a passive query. The SESSION WALL of CA is also this IDS product, and its main interface is shown below:

pros and cons

This invasive monitoring system is easy to install and implement; usually only need to install the program once on the host. The network-level IDS is especially suitable for preventing scanning and denial of service attacks. However, this IDS architecture is not working in exchange and ATM environments. Moreover, it is not particularly effective for processing upgrading illegal accounts, failure strategies, and tamper logs. The performance of the host will drop sharply when scanning large networks. So, for large, complex networks, you need the host-level IDS.

Host level IDS

As mentioned earlier, the host-level IDS structure uses a manager and several agents. The manager sends a query request to the agent, and the agent reports to the manager to report the host's transmission information in the network. Direct communication between proxy and managers solve many of the problems in complex networks.

Technical Tip: Before applying any host-level IDS, you need to test in a quarantined network segment. This test can help you determine if this manager-to-agent communication is secure, and the impact on network bandwidth.

Managers Managers

Physical security is critical to acting as a host. If an attacker can get a hard disk access, he can get important information. In addition, unless the required manager's system should not be accessed by the network user, this limitation includes Internet access.

The operating system of the installation manager should be as safe and no vulnerabilities. Some manufacturers require you to install managers using specific types of operating systems. For example, ISS RealSecure requires you to install in Windows NT Workstation instead of Windows NT Server because it is easier to streamize the operating system on NT WorkStation.

Just like applying firewalls, you must establish rules for IDS. Most IDS programs have pre-defined rules. You'd better edit existing rules and add new rules to provide optimal protection for your network. Normally established rules have two categories: network abnormal network misuse. Enterprise-class IDs can usually implement hundreds of rules. Different vendors differ in the use of auditing terms. For example, eTrust Intrusion Proction uses "Rules" to discuss the rules of the security audit, and Intruder Alert uses "policies". You will know that INTRUDER ALER is far-reaching when using "policies", which allows you to establish rules for individual policies. Therefore, don't be confused by terminology when you understand the products of each manufacturer.

Network abnormal monitoring

The IDS program reports the abnormal situation of the protocol level. If configured correctly, it prompts you to attack NetBus, Teardrop, or Smurf. For example, if there is too much SYN connection, the IDS program will call you.

Network misuse monitoring

Network misuse includes web browsing of non-working purposes, install unauthorized services (such as WAR FTP services), and play games (such as Doom or Quake). You can make log records, block traffic, or actively stop. For example, you can use programs to implement counterattacks or set up "Dummy" systems or networks to induce.

Network misuse is the result of physical, operating system or remote attack. Physical attacks include stealing hard drives or physical manipulating machines to get information. Operating System Attack refers to the verified user attempts to get root access. Remote attack refers to an attacker to attack the device over the network.

Common monitoring method

Intrusion monitoring system commonly used monitoring methods include characteristic monitoring, statistical monitoring and expert systems. According to the report of the Ministry of Public Security Computer Information System Safety Product Quality Supervision and Inspection Center, 95% of intrusion monitoring products in China are characteristic monitoring products that use intrusion templates to match mode matching products, and other 5% are statistical monitoring products with probability statistics. Log-based expert knowledge base products.

Characteristic monitoring

Feature Monitoring a deterministic description for a known attack or intrusion, forming a corresponding event mode. When the audited event matches the known intrusion event mode, the alarm is alarm. In principle, it is similar to the expert system. It is similar to the monitoring method of computer viruses in its monitoring method. Currently based on pattern matching applications description in package feature. The method predicts that the accuracy of monitoring is high, but there is no power for intrusion and attack behavior of unrequalified knowledge.

Statistical monitoring

The statistical model is commonly monitored, and the measurement parameters commonly used in the statistical model include: the number, interval, and resource consumption of the audit event. Common intrusion monitoring 5 statistical models:

1. Operation model, the model assumes that the abnormality can be obtained by the measurement result, and the fixed indicator can be obtained according to the experience value or a statistical average, for example, multiple failed login in a short time It is very likely to be a password to attack;

2, variance, calculation parameter variance, set its confidence interval, indicate that it may be abnormal when the measured value exceeds the range of confidence intervals;

3, multi-model, operation model extension, by simultaneously analyzing multiple parameters;

4, the Market process model, defines each type of event as the system state, indicating changes in the state with the status transfer matrix, when an event occurs, or the probability of the transfer may be an abnormal event;

5, time series analysis, the event count and resource consumption is based on time, and if a new event is low in this time, the event may be invasive.

The biggest advantage of statistical methods is that it can "learn" users' habits, thereby having higher detection rates and availability. However, its "learning" capability also gives intruders to make intrusion events in accordance with the statistical rules of normal operation by gradually "training", thus transmitting the invasion monitoring system. expert system

Monitoring intrusion with an expert system is often targeted. The so-called rules are knowledge, different systems and settings have different rules, and there is often no versatility between rules. The establishment of an expert system relies on the intensity of the knowledge base, and the completeness of the knowledge base depends on the completeness and real-timeness of the audit record. The characteristics and expression of intrusion are the key to the intrusion monitoring expert system. In system implementation, the knowledge of the invasion is converted to the IF-THEN structure (or a composite structure), and the conditional portion is intrusion, and the THEN is system prevention measures. The effectiveness of using expert systems to prevent feature intrusion depends entirely on the completeness of expert system knowledge base.

File integrity check

Document Integrity Check System Check the file change after the last check. The File Integrity Check System Saves a digitally abstract database for each file. When each check, it recalculates the digital abstracts of the file and compare it with the value in the database. If the file has been modified, if the file has been modified, if the same, The file did not change.

Digital Drawing of Documents Calculated through the Hash function. Regardless of the length of the file, its Hash function calculation result is a fixed length of numbers. Unlike encryption algorithms, the Hash algorithm is an irreversible one-way function. With high security HASH algorithms, such as MD5, SHA, two different documents are almost impossible to get the same HASH results. Thus, when the file is modified, it can be monitored. In the file integrity check, it is the most comprehensive TripWire that is Tripwire, and its open source version can be obtained from www.tripwire.org.

Advantages of a document integrity check system

From mathematical analysis, overcome document integrity checking systems, whether it is time or space is not possible. The file integrity check system is a very powerful monitoring file modified tool. In fact, the file integrity check system is one of the most important tools that monitor the system of illegal use.

The file integrity check system has considerable flexibility, which can be configured to become all files or certain important files in the monitoring system.

When an intruder attacks the system, he will do two things. First, he wants to cover his trace, that is, he wants to hide his activities by changing executable files, library files or log files in the system; others, he To make some changes to ensure the next time you can continue to invade. Both activities can be monitored by the document integrity check system.

File integrity check system weaknesses

Document Integrity Checking System Depending on the local information database. As with the log file, these data may be modified by intruders. When an intruder gets administrator privileges, after completing the damage activity, you can run the file integrity check system to update the database, thus crossing the system administrator. Of course, you can place a draft database on a read-only medium, but such a configuration is not flexible.

To make a complete file integrity check is a very time consuming job, in TripWire, you can choose to check some system features instead of a complete summary, thus speeding up the check speed.

Some normal updates can bring a lot of file updates, resulting in more complicated checkup and analysis work, such as upgrading MS-Outlook in the Windows NT system will bring 1800 file changes.

Regardless of the scale and method, invading techniques have changed in recent years. The means and technology of intrusion also have "progress and development". The development and evolution of intrusion technology is mainly reflected in the following aspects:

Integration and complexity of intrusion or attacks. There are a variety of invasions, and intruders tend to take an attack. Due to the multiplication of network prevention technology, the difficulty of attacks, making the intruder often take a variety of intrusion when implementing intrusion or attacks, to ensure the success of the invasion, and can cover the attack or invading at the initial incidence of attack implementation Real purpose. Intercourse the interruption of the subject object, that is, the concealment of the subject of the invasion and the attack. Through certain technologies, the source site and host position of the attack body can be masked. That is, after the hidden technology is used, the subject attacked by the target cannot be determined directly.

The scale of intrusion or attack is expanded. For the invasion and attack of the network, it is often targeted for a company or a website, the purpose of its attacks may be the hunting behavior of certain network techniques, nor eliminating the commercial theft and destruction. Because the war is growing and large, the war is increasing, and the development is gradually upgraded to the electronic warfare and information war. For information war, regardless of its scale and technology, the intrusion and attacks of computer networks in the general sense are not comparable. The success or failure of the information war and the security of the national main communication network are the same national security as the territorial security of any sovereign state.

Distribution of intrusion or attack technology. In the past, invasion and attack behavior tend to be executed by a single machine. Such behavior cannot be effective due to the development of prevention technology. The so-called distributed rejection service (DDoS) can cause paralysis of the attack host in a short period of time. And the single-machine information model of such distributed attacks is not different from normal communication, so it is often not easy to be confirmed in the initial stage of attack launch. Distributed attacks are the most commonly used attack methods in the near future.

Transfer of an attack object. Intrusion and attacks are often used by the network as the subject, but the recent attack behavior has had strategic changes, and the attack network is changed to the attack network to attack the network's protection system, and have a more intense trend. There is now a report specifically for IDS attacks. An attacker analyzes the IDS's audit method, feature description, and communication mode finds the weaknesses of IDS, and then attacks.

The future intrusion monitoring technology can be developed in three directions.

Distributed intrusion monitoring

The first layer meaning, that is, a monitoring method for distributed network attacks; the second layer meaning even if the distributed method is used to monitor distributed attacks, and the key technologies are extracted by the synergistic processing of the monitoring information and the overall information of the intrusion attack. .

Intelligent intrusion monitoring

That is, the invasion monitoring is performed using intelligent methods and means. The so-called intelligent method, which is commonly used in the context of neural network, genetic algorithm, fuzzy technique, immunoincinal principle, and other methods, which are often used in the identification and generalization of intrusion characteristics. It is also common to use the expert system to build an intrusion monitoring system. In particular, an expert system with self-learning ability, achieving the continuous update and expansion of the knowledge base, making the design intrusion monitoring system constantly enhanced, and should have a broader application prospect. Attempts to use the concept of intelligent body to perform intrusion monitoring have also been reported. A more consistent solution should be used in combination with the intrusion monitoring system in high-efficiency conventional sense and the combination of monitoring software or module with intelligent monitoring.

Comprehensive safety defense program

That is, use the ideological and method of safe engineering risk management to deal with network security issues, and network security is handled as an overall project. From management, network structure, encryption channel, firewall, viral protection, intrusion monitoring multi-position comprehensive evaluation of the network of concerns, and then proposes a feasible comprehensive solution.

Nuclear intrusion monitoring

Nuclear-based intrusion monitoring is a relatively smart new Linux intrusion monitoring system. Now the most important kernel-based intrusion monitoring system is called LIDS, and can be downloaded from http://www.lids.org/.

Intruder alert

Intruder Alert (ITA) is a powerful product that uses managers / proxy structures. Managers and agents can run in UNIX, NT, and Novell networks. The first advantage of ITA is that it can be applied in many network environments. Since the company is rarely applying only a single manufacturer's product, the IDS you choose should be able to apply as many manufacturers' products.

The second advantage of ITA is its distributed management structure. ITA software package consists of two services and three applications:

· ITA Manager (playable module for service, daemon or Novell) · ITA Agent (acting as a service, daemon or Novell-loaded module)

· ITA admin (configurable application)

· ITA View (for the procedure for the proxy)

· ITA setup (program from the administrator domain)

ITA and firewall

The firewall will generate other connection problems. If you try to connect the agent under firewall protection, it usually fails because the firewall only allows some traffic to pass. In order to solve the above problem, define the firewall rule for the connection.

Define strategies and establish rules

Once you define a policy, you can start using it. You can watch the strategy under Policy Library Tree. However, this list only provides a potential strategy. If you want to change the agent in your work, click on the active manager icon and then the origin of the Policy Library Tree.

ITA View lists some or all of the strategies three times. Don't confuse this repetition: the program lists the active policies and any strategy you might use, and the strategy of at least two domains: default all agents and default NTs. The third Tree lists the policies you might add to the default domain. Of course, you can rename these default domains or add new domains. The fourth Tree lists the pre-defined policies, you can cut and paste into the policy library and activate them. You cannot see special rules phrases and terms when watching Active Policies Tree. You can see this information in the manager name of Policies Tree (such as Student 10).

Rule establishment

Like eTrust Intrusion Detection, ITA rules also contain some child elements. These networks and hosts that determine ITA monitor and which behaviors take it. All ITA strategies contain three parts: selection, ignore, and action.

If you want to determine a special activity, such as a NetBus connection or LAND attack, the select element is defined. ITA implements special behavior for your defined rules. Once you use a SELECT segment and define an event, ITA knows this event.

However, ITA does not know what action taken for this event. The IGNORE segment is used to meet this needs. ITA will ignore any terms you put in the Ignore segment, even if you have defined. The terms in the Action section will determine what behavior is taken on the event you defined. If you put the same event at the same time in the Ignore and Action segments, ITA will not take action on the event. Typically, the Ignore segment is used to handle false positives. ITA rules use Boolean logic. If the SELECT segment is activated or true, ITA will view any of the Ignore and Action segments. For example, it is specified in the Action section to record the event into the log file, and the ITA will use the rules defined in the ACTION segment in the Ignore segment.

Sort by rules

Indirect, Filter, and Disable Three checkboxes are not necessary to define rules. These are just ITAs are additionally controlled when applying rules. The Indirect option is only allowed when other ITA rules are referenced, and the Filter option will be deleted by the event monitored by other rules. Disable deletes the entire rule during ITA monitoring.

Query

You can use ITA View to query. From the main interface of the ITA View, click the New button You can define and query. The DEFINE New Filter dialog allows you to connect managers, then directly from the manager to the agent. From here, you can store or load prior definitions that help you quickly learn about a host security status (such as Filters) Since this program is independent of ITA Admin, you must log in to managers. This requirement strengthens security, and ensures that a program's crash does not affect management and query agents.

After connecting the agent, you can start inquiry. Your query is limited to the rules that have been established and activated in the ITA View. You can also query according to priority. Or use the query text box, or drag the query item from the Manage Object window to the query list window, then select GO. The content in the query dialog will override the input content of the query list window.

The introduction of the Intrusion Monitoring System Introduction Intrusion Monitoring Technology is a technique that can be designed and configured in a timely discovery and reporting the system in a timely manner, and is a violation of the security of the computer network. Techniques for strategic behavior. Intrusion monitoring systems identify any undesirable activities, this activity may come from outside the network and inside. The application of intrusion monitoring system can monitor intrusion attacks before the intrusion attack is harmful to the system, and use the alarm and protective system to expel the intrusion attack. During the invasion attack, the loss caused by the invasive attack can be reduced. After being invaded, the relevant information of the intrusion attack is collected. As the knowledge of the prevention system, add it into the knowledge base to enhance the system's prevention capabilities.

Typical IDS system models include three functional components:

1. Provide information source for event recording stream

2. Analysis engine for finding signs

3. Response parts reflected based on analysis results of the analysis engine

Data collection collaboration

There are two important aspects: data collection collaboration:

Data analysis collaboration

The monitoring model of traditional data mining techniques is from offline, just like integrity monitoring techniques, because traditional data mining technologies must handle large amounts of audit data, very time consuming. However, effective IDs must be real-time. Moreover, the data mining IDS is only available in the monitoring rate of the conventional method in terms of monitoring rate, and only the false positive rate is also available in an acceptable range. The University of Columbia proposed a real-time intrusion monitoring technology based on data mining, which proves that data mining techniques can be used for real-time IDS. Its basic framework is: first extracting features from audit data to help distinguish between normal data and attack behavior; then use these features for pattern matching or abnormal monitoring models; then describing an artificial abnormal production method to reduce abnormal monitoring algorithms Mrror report rate; finally provides a method of combining mode matching and abnormal monitoring models. Experiments show that the above method can improve the monitoring rate of the system without reducing the performance of any monitoring model. Based on this technology, real-time IDS for data mining is implemented by the engine, monitor, data warehouse, and model, as shown in the figure. Among them, the engine observes the original data and calculates the characteristics of the model assessment; the monitor acquires the data of the engine and uses the monitoring model to evaluate whether it is an attack; the data warehouse is used as the center storage of data and models; the main The purpose is to speed up development and distribute the speed of new intrusion monitoring models.

Response coordination

1. The synergy of IDS and firewall:

2. Ids and routers and switches

3. Collaboration between IDS and antivirus systems

4. IDS and honeypots and filling unit systems

"Fill Unit" takes another different way. "Fill Unit" does not attempt to attract attackers with the induce data, and it waits traditional IDS to monitor attackers. The attacker then seamlessly passes to a specific fill unit host. An attacker will not realize what happens, but an attacker will be in an analog environment without any injury. Similar to "honeypots", this simulation environment will make people interested in data, so that attackers believe that attacks are working according to plan. "Fill Unit" provides a unique opportunity for monitoring attackers.

Conclude

Later, the entire safety system described herein

The difference between intrusion prevention software and traditional intrusion monitoring products is that the former can actually prevent attacks, not just attacks. As mentioned earlier, the current intrusion monitoring software is reactive-usually the weakness of the scan configuration, and the attack is discovered after the attack. Antivirus vendors and intrusion monitoring manufacturers often "stand at any time" and respond quickly to the attack event. But at this time, attacks usually have taken effect, and the network or desktop system is thus caught in. Intrusion Prevention Safety Architecture acts as a next-generation network security software, it can actively actively strengthen the safety of desktop systems and servers to prevent damage to network attacks that are not discovered by features based on feature-based techniques. The invasive prevention has a significant advantage, it is precisely because it reduces the burden of enterprise safety management. Unlike traditional intrusion monitoring products, intrusion prevention is actually protected from internal resources from attacks from internal resources: limits the behavior that may have destructive code does not hinder business operations, provide attack records, and once the attack Notify the business security personnel. In addition, high-performance level intrusion prevention technologies can be hit by network-based attacks, such as denial of service, detection, malformation packets, and hostile connection attacks.

In order to fully provide truly effective protection for computing resources, network security managers cannot alternately rely on discovering known attacks or their changes. New methods for intrusion prevention define appropriate behaviors, and then implement these behaviors per end user desktop system and network server within the enterprise. What is the just behavior? We don't have to browse this article, you know: If a user receives an e-mail, immediately try to send the email to each contact listed on the user address book, then this is not just right. Similarly, if you are from a web browser, a mail software, or a Microsoft Office program group attempt to write to a Windows NT system file, this is not just right. Specifically, this is likely to be a macro virus. Intrusion Prevention is to monitor the behavior of system and application, and define which behavior is justified, which behavior is suspicious, so once attempting to make a range of persons than expected behavioral scope, the intrusion prevention technology will first send the system to eliminate improper systems behavior.

In terms of defending Troima, intrusion prevention is further compared to IDS: it can find unusual behaviors in the system, and then real-time blockage before intrusion implementation. For example, IT personnel can discover and contact application behavior, such as causing web server buffer overflow to invade people sneak into the network, mapping other executable files to steal confidential, connect the keyboard intercept input character, modify the existing executable to hide Malignant code, access the HTTP port to disguise into a legitimate web program. So these behaviors do not indicate the existence of Troima attack. Prevention of e-commerce applications or website content is critical to protecting today's open network. For those who face attacks, security measures to be prevented in response to environmental, existing intrusion prevention technology has played a role in replacement strategies.

You can use multiple types of tools during the test. These tools are essential during the entire audit process. They will help you save time during a boring analysis process.

What is intrusion monitoring

Intrusion monitoring

Network traffic management

track

Necessity for intrusion monitoring system

Architecture of intrusion monitoring system

Network-level IDS

pros and cons

Host level IDS

Managers Managers

Managers Define Rules and Policies of Management Agents. The manager is installed on a specially configured host to query the proxy in the network. Some managers have a graphical interface that other IDS products are only managed in the form of a daemon, and then use other programs to manage them. Physical security is critical to acting as a host. If an attacker can get a hard disk access, he can get important information. In addition, unless the required manager's system should not be accessed by the network user, this limitation includes Internet access.

Different vendors differ in the use of auditing terms. For example, eTrust Intrusion Proction uses "Rules" to discuss the rules of the security audit, and Intruder Alert uses "policies". You will know that INTRUDER ALER is far-reaching when using "policies", which allows you to establish rules for individual policies. Therefore, don't be confused by terminology when you understand the products of each manufacturer.

Network abnormal monitoring

Network misuse monitoring

Common monitoring method

Characteristic monitoring

Statistical monitoring

2, variance, calculation parameters, set its confidence interval, indicate that it may be anomalous when the measured value exceeds the confidence interval; 3, multi-model, operation model extension, by simultaneously analyzing multiple parameters implementation monitoring;

5, time series analysis, the event count and resource consumption is based on time, and if a new event is low in this time, the event may be invasive.

expert system

File integrity check

Advantages of a document integrity check system

The file integrity check system has considerable flexibility, which can be configured to become all files or certain important files in the monitoring system.

File integrity check system weaknesses

To make a complete file integrity check is a very time consuming job, in TripWire, you can choose to check some system features instead of a complete summary, thus speeding up the check speed. Some normal updates can bring a lot of file updates, resulting in more complicated checkup and analysis work, such as upgrading MS-Outlook in the Windows NT system will bring 1800 file changes.

Intercourse the interruption of the subject object, that is, the concealment of the subject of the invasion and the attack. Through certain technologies, the source site and host position of the attack body can be masked. That is, after the hidden technology is used, the subject attacked by the target cannot be determined directly.

The future intrusion monitoring technology can be developed in three directions.

Distributed intrusion monitoring

Intelligent intrusion monitoring

Comprehensive safety defense program

Nuclear intrusion monitoring

The second advantage of ITA is its distributed management structure. ITA software package consists of two services and three applications:

· ITA Manager (acting as a service, daemon or Novell's loadable module)

· ITA Agent (acting as a service, daemon or Novell's loadable module)

· ITA admin (configurable application)

· ITA View (for the procedure for the proxy)

· ITA setup (program from the administrator domain)

ITA and firewall

Define strategies and establish rules

Rule establishment

Sort by rules

You can decide the importance of each rule. Each rule can have a value of 0 to 100. The value of 0 to 33 indicates that this rule is a warning, and 34 to 66 represent a medium-level security issue, and 67 to 100 indicate a serious security problem. ITA will not sort these new rules, and you need to put an event correctly to arrange priority order. Indirect, Filter, and Disable Three checkboxes are not necessary to define rules. These are just ITAs are additionally controlled when applying rules. The Indirect option is only allowed when other ITA rules are referenced, and the Filter option will be deleted by the event monitored by other rules. Disable deletes the entire rule during ITA monitoring.

Query

Since this program is run independently of ITA Admin, you must log in to the manager. This requirement strengthens security, and ensures that a program's crash does not affect management and query agents.

转载请注明原文地址:https://www.9cbs.com/read-110146.html

9cbs

New Post(0)