In general, a business or agency is ready to enter this area, often choose from the network-based IDS, because there are many open source and information on this area, and it is easier to implement, and the network-based IDS adaptability is strong. . With the development experience of simple network IDs, it is a lot of difficulty towards the host-based IDS, distributed IDS, smart IDs, etc.. Here, the author will introduce a typical IDS development idea with a network-based IDS.
According to the CIDF specification, we are functioning to divide the intrusion detection system into four basic parts: data acquisition subsystem, data analysis subsystem, console subsystem, database management subsystem, as shown in the drawings.
Specifically, the data acquisition subsystem (also known as detector) and data analysis subsystem are generally implemented on the Linux or UNIX platform. We call the data acquisition and analysis center; implement the console subsystem on Windows NT or 2000 The database management subsystem is based on Access or other functions of more powerful databases, with the control station system, we call control management centers. This article describes the implementation of the Data Acquisition Analysis Center and the Control Management Center in the Linux and Windows NT platform.
A basic intrusion detection system can be built in accordance with the following steps. The first step is to obtain the source of the IDS, and the data acquisition mechanism is the basis for implementing IDS. Otherwise, the compassment is difficult to be no rice, and the intrusion test is not talking.
The data acquisition subsystem is located at the bottom of IDS, its main purpose is to get an event from a network environment and provide an event to other parts. Currently a popular practice is to use libppcap and tcpdump, place the NIC to "mixed" mode, capture all data streams on a certain network segment.
LibPCAP is a must-have tool for UNIX or Linux from the core capture network packet. It is independent of the system's API interface. It provides a portable framework for underlying network monitoring, which can be used for network statistics collection, security monitoring, network debugging and other applications. .
Tcpdump is a tool for network monitoring, which may be the most famous SNIFFER on UNIX. It implements a libpCAP interface, and the Boolean expression prints the data package header, which performs filtration conversion, packet acquisition, and package display. Tcpdump can help us describe the normal behavior of the system and ultimately identify those abnormal behavior, of course, it is only beneficial to collect data streams (network flow types, connections, etc.) on a certain segment, as to whether to analyze network activities Normal, it is the work you have to do with programmers and administrators.
LibPCap and TCPDUMP are widely circulated online, and developers can go to related websites.
Step 2 build and configure the detector to achieve data acquisition function
The appropriate software and hardware equipment should be selected according to the specific situation of your own network. If your network data traffic is small, you can install Linux with a general PC. If the monitored network traffic is very large, you need to use one performance. Higher machine. A log partition is available on the Linux server for storage of data. Create a LibPCap library. From the online download, it is usually the compression package of libpcap.tar.z, so it should be decompressed, unpack, then execute the configuration script, create the Makefile that is suitable for your own system environment, and then creates a libpcap library with the make command. After Libpcap is installed, a libpcap library, three include files, and a Mana page (ie, the user manual) will be generated. Create TCPDUMP. Like the process of creating libpcap, first decompress the compressed package, unpack it to the same parent directory of libpcap, then configure, install TCPDUMP. If you are configured, create, install, etc., if you have everything, you have been able to collect network data flow here. As for how to use LibPCAP and TCPDUMP, you also need to refer to the relevant user manual. The third step is established on the data analysis module on the Internet, there are some data analysis software packages for open source code, which provides us with a certain convenience of convenience, but these "free lunch" generally have a lot of limitations. Develop a truly powerful, practical IDS, usually require developers to do their own brain design data analysis modules, and this is often the focus of the entire IDS.
The data analysis module is equivalent to the brain of IDS, which must have a high degree of "wisdom" and "judgment capabilities". Therefore, before designing this module, developers need to have a very clear, in-depth study of various network protocols, system vulnerabilities, attack techniques, suspicious behaviors, and then develop corresponding safety rules and security strategies, and establish abuse separately Detection model and abnormal detection model, let the machine simulate your own analysis process, identify the attack and abnormal behavior of aware characteristic, and finally form an alarm message to the control management center.
The design data analysis module is very good, and considering the hacker technique of "Tao Tak, Magic High" is increasingly refurbished, so it is destined to be a process without endpoints, which requires constant update, upgrade, and improve. Here you need special attention to three issues: 1 should optimize the design of the detection model and algorithm to ensure the efficiency of the system; 2 security rules to make full consideration of inclusive and scalability to improve the system's scalability; 3 alarm message To follow specific standard formats, enhance its shared and interoperable ability, avoid unregulated information on messages formats.
The fourth step to build the console subsystem control station system is responsible for reporting various network violations to the network administrator and takes action by administrators to some malicious behaviors (such as blocking, tracking, etc.). Since the Linux or UNIX platform is far from a commonly used Windows product popular in support interface operation, in order to make IDS into a general, easy-to-use system, the author recommends implementing the console subsystem on the Windows series platform.
There are two main tasks of the console system: 1 Manage Data Acquisition Analysis Center, with friendly, easy to query the alert message sent by the Data Acquisition Analysis Center; 2 According to the security policy, a series of response action is performed to prevent illegal behavior Ensure the security of the network.
The design focus of the console system is: Alert information query, detector, rule management, and user management.
1. Alert Information Inquiry: Network administrator can use a single condition or composite condition to query, when the number of the alarm information is large, the source needs to classify the alarm information in accordance with the risk level, and highlight the most important information needed by the network administrator. .
2. Detector Management: The console can manage multiple probes (including start, stop, configuration, viewing operation status, etc.) to query the security of each network segment, and develop the appropriate security rules for different situations.
3. Rules Library Management Features: Provides a tool for flexible configuration security policies based on different network segments, such as a customization can be applied to multiple probes, default security rules, and more.
4. User Management: Strict definitions of user rights, provide password modifications, add users, delete users, user permission configurations, etc., effectively protect the security of the system.
The fifth step to construct a database management subsystem, a good intrusion detection system should not only provide real-time, rich alert information, but also record on-site data in detail to reconstruct some network events when you need to pass the certificate.
The front-end program of the database management subsystem is usually integrated with the console system, with Access or other data inventory to store alarm information and other data. The module has two sources: 1 Data Analysis Alarm information and other important information sent; 2 Administrator handles the data obtained by the query results after the conditional query, such as the generated local file, format report, etc.
The sixth step is jointly, and a basic IDS has completed the above steps, the most basic framework of an IDS has been implemented. But to make this IDS smoothly run, it is necessary to keep the safety, smooth communication and interaction between the various parts, which is the problem to be solved by the joint adjustment.
First, the communication between the Data Acquisition Analysis Center and the Control Management Center is to communicate between the two. Control Management Center Displayed that the analysis results and other information sent by the Data Acquisition Analysis Center, the Data Acquisition Analysis Center Receives the Control Management Center's configuration, management and other orders. Note that the security between the two communications is best to encrypt the communication data stream to prevent eavesdropping or tampering. At the same time, there is a large number of interactions between the control station system and the database subsystem of the control management center, such as the alarm information query, network event reconstruction, etc.
After the joint adjustment passed, a basic IDS was completed. The following is the continuous improvement of each of the features, especially improving the system's detection capabilities.