Intrusion detection system:
Intrusion Detection refers to monitoring or possibly preventing intrusion or trying to control your system or network resources.
The main tasks performed by the intrusion detection system include: monitoring, analyzing users and system activities; auditing system constructs and weaknesses; identification, reflecting the active model of known offensive, alarming to relevant people; statistical analysis of abnormal behavior mode; assessing important systems and data files Integrity; audit, tracking management operating system
Identify the behavior of the user violation of the security policy. Intrusion detection is generally divided into three steps, sequentially collect, data analysis, response (passive response, and active response).
Intrusion detection system technology:
Probability statistics, expert systems, neural networks, pattern matching, behavioral analysis, etc. can realize the detection mechanism of intrusion detection system to analyze the audit records of the event, identify specific patterns, generate detection reports and final analysis results.
Find intrusion detection generally adopted the following two techniques:
1 Abnormal discovery technology, assuming that all intrusion is different from normal behavior. Its principle is that it is assumed that the trajectory of the system's normal behavior can be established, and all system status different from normal trajectories is considered suspicious. The choice of exception valve and features is the key to its success or failure. It is limited to, not all
The invasion is expressed as an abnormality, and the trajectory of the system is difficult to calculate and update.
2 is the mode discovery technology that is assumed that all intrusion behaviors and means (and variants thereof) can be expressed as a model or feature, and all known intrusion methods can be found with a matching method. The key to pattern discovery technology is how to express intrusion mode to correctly distinguish between true invasion and normal behavior.
The advantage of the mode discovery is that the false positives are small, and the limitations are only known to attack, and the unknown attack is powerless.
Classification of intrusion detection systems:
Typically, intrusion detection systems are divided into three sources of input data:
1 Based on the host's intrusion detection system, its input data is derived from the system's audit log, which generally only detects the invasion that occurs on the host.
2 Network-based intrusion detection system, its input data is derived from the network's information stream, which can detect network invasion that occurs on the network segment.
3 Distributed intrusion detection system, can simultaneously analyze the intrusion detection system from host system audit logs and network data streams, and the system consists of multiple components and distributed structures.
In addition, the intrusion detection system has other classification methods. If the physical location based on the physical location, the monitoring system based on the network boundary (firewall, router), network-based traffic monitoring system, and host-based audit tracking monitoring system; according to the modeling method, based on abnormal detection system, base
The system based on behavioral detection, based on distributed immunization; according to time analysis, it can be divided into real-time intrusion detection system, offline intrusion detection system.
The main method of intrusion detection:
1 static configuration analysis
Static configuration analysis Check the system or may be destroyed by checking the current system configuration of the system, such as the content or system table of the system file. Static refers to the statically characteristic (system configuration information) of the system, not the activities in the system.
The use of static analysis methods mainly include the following reasons: invaders may leave traces when attacking system attacks, which can be detected by checking the state of the system; system administrators and users inevitably have some errors or omissions Some system security measures; in addition, the system is suffering
After hitting, intruders may install some security in the system to facilitate further attacks on the system.
Therefore, static configuration analysis methods require as much as possible to understand the system's defects, otherwise the intruder only needs to simply use the unknown security defects in those systems to avoid the detection system.
2 abnormal detection method
Abnormal detection technology is a method of detecting intruders without the need for operating systems and its prevention security defects, and it is also an effective method for detecting intruders who pretending to be legal user. However, in many environments, it is more difficult to establish a characteristic profile of normal behavior patterns, and the threshold value of the alarm of the anomalitability of the user activity, so it is not possible to detect all the use of abnormal detection technology. Invasion.
Currently, such intrusion detection systems use statistics or rule-based methods to establish system mains behavior characteristics:
(1) The statistical profile is described by the frequency, mean, and deviation of the main characteristic variable. For example, the next generation of SRI is a real-time intrusion detection expert system, which is very effective for Trojan horses and deceptive applications.
(2) Components based on the characteristic profile based on the rules, composed of a rule of the relationship between the legal value range of each feature of the body and other features (eg, TIM). The program can also use data mining techniques for extracting rules from large databases.
(3) The neural network approach has self-learning, adaptive ability, can avoid the characteristic model of normal users or system activities by self-learning, avoiding the challenge of selecting statistical features.
3 behavioral detection method
By detecting behaviors similar to those of known intrusion behaviors, those behaviors in the system are used to use the defects or indirect violation of the system security rules to determine the intrusion activities in the system.
At present, behavior-based intrusion detection systems are only in the way to indicate intrusion mode (signature) and the mechanisms of checking intrusion signs in the system's audit, mainly divided into expert systems, state migration analysis and pattern matching, etc. Several categories. The main limitations of these methods are just roots
In terms of known intrusion sequences and system defect patterns, the system in the system is detected, and new intrusion attack behaviors and unknown, potential system defects are not detected.
Although the intrusion detection method can achieve good results in certain aspects, the overall appearance is in short, and there is a few ways to use several methods at the same time, which is complementary to complete the test task.
Structure and standardization of intrusion detection systems:
Currently, all General Intrusion Detection Architecture (CIDF) organizations and IETFs are attempted to standardize intrusion detection systems. CIDF describes a general model of an intrusion detection system that divides intrusion detection systems into four components: event generator, event analyzer, response unit, and event database. Ci
DF will be collectively referred to as an event that the intrusion detection system needs to be analyzed, which can be a packet in the network, or information obtained from other ways such as system logs.
The event generator is an event from the entire computing environment and provides this event to the other parts of the system; the event analyzer analyzes the data obtained, and generates an analysis result; the response unit is a function unit that responds to the analysis results, it can Make a strong response to cutting-off, changing file properties, etc.
It is a simple alarm. The event database is a regular basis for storing various intermediate and final data, which can be a complex database or a simple text file. In this model, the top three appear in the form of a program, and the last one is often a file or data stream.
Several components of the intrusion detection system are often located on different hosts. There are generally 3 machines, running event generator, event analyzer, and response unit, respectively.
The IETF's Internet draft Working Group (IDWG) is responsible for defining communication formats between intrusion detection system components, and interrival detection systems of different vendors. At present, there is currently only relevant drafts, and has not yet formed a formal RFC document. The IDWG document is:
Invading Aviation Protocol (IAP), the protocol is used to exchange intrusion alert information, an application layer protocol on TCP; Intrusion Detection Exchange Protocol (IdXP), this application layer protocol is exchanged between intrusion detection entities, providing invasion Detects the message exchange format (IDMEF) packet, the unable text, the exchange of binary data; IDMEF is a data storage format tunnel (tunnel) file, allowing block Scalable Extension Protocol (BEEP) peer energy as an application layer agent, The user gets the service through the firewall. IAP is the earliest design communication protocol, which will
Replaced by IDXP, IDXP is based on Beep, and the Tunnel file is used in conjunction with IDXP.
Main problems and development trends facing intrusion detection systems
The main problem facing intrusion detection system
1 error
Mistant report refers to the measured system of intrusion detection system but is actually normal and legal use of alarms and computer. The fake alarm is not only annoying, but also reduces the efficiency of the intrusion detection system. Attackers can and often use the package structure for fake unpredictable "normal" fake alarm to induce people to detect intrusion
The system is turned off.
No intrusion detection is invincible, and the application system will eventually have errors because the standard mechanism for sharing information and the centralized coordination mechanism, different network and host have different security issues, and different intrusion detection systems have their own Function; lack the ability to act within a period of time;
Lack of effective tracking analysis, etc.
2 Exquisite and organized attacks
Attacks can come from the quartz, especially a group of people to organize planning and attacker technology superb attacks, attackers spend a long time, and launch a global attack, to find out such a complex attack is a difficult thing.
In addition, high-speed network technology, especially exchange technology, and the development of encryption channel technology, making it insufficient network data acquisition method listening through sharing network segments, and huge traffic on data analysis has also put forward new requirements.
Development trend of intrusion detection system
Overall, in addition to improving routine, traditional technologies (pattern recognition and integrity detection), intrusion detection systems should focus on strengthening the research of statistical analysis. Many scholars are studying new test methods, such as using the active defense methods of automatic agent, apply immunological principles to invasion
Method of measurement, etc. The main development direction can be summarized as: (1) Distributed intrusion detection and CIDF
Traditional intrusion detection systems are generally limited to a single host or network architecture, which is obviously insufficient for heterogeneous systems and large-scale networks, and different intrusion detection systems cannot work together. To this end, distributed intrusion detection technology and CIDF are required.
(2) Application layer intrusion detection
Many intrusion semanties can only be understood in the application layer, and the current intrusion detection system can only detect common protocols such as Web, and other applications such as Lotus Notes database systems cannot be handled. Many client / server structures, middleware technology, and object technology
Use, you need to apply the intrusion detection protection of the layer.
(3) Intelligent intrusion detection
At present, the intrusion method is increasingly diverse and integrated. Although there is already a smart system, neural network and genetic algorithm are used in the invasion detection field, but these are only some research work, and further research on intelligent intrusion detection systems. To solve its self-learning and adaptability.
(4) Combining network security technology
Combine network security and e-commerce technology such as firewall, PKIX, Safety Electronics Transaction (SET), provide complete network security.
(5) Establish an intrusion detection system evaluation system
Designing universal intrusion testing, evaluation methods and platforms, realizing detection of multiple intrusion detection systems, has become another important research and development area of the current intrusion detection system. The evaluation intrusion detection system can be carried out from the aspects of detection range, system resource occupation, self-reliability, and evaluation indexes: whether it can guarantee its own safety, operation and maintenance system overhead, alarm accuracy, load capacity, and supportable network Type, supported intrusion feature, whether IP fragment reorganization is supported, whether TCP stream reorganization is supported.
In summary, invasive detection system serves as an active safety protection technology, providing real-time protection for internal attacks, external attacks, and misuse, intercept and responding in response before the network system is harmful. With the requirements of network communication technology, it is getting higher and higher, providing reliable service to network applications such as e-commerce.
, And because the intrusion detection system can provide security services from the perspective of network security, the perspective of multi-level defense will further attach great importance to people.
