System risk and intrusion detection
The security of computer networks is an international issue, and the economic losses caused by the safety system of computer networks have reached billions of dollars per year. After entering the new century, the above losses will reach more than 200 billion US dollars.
Governments, banks, large enterprises have their own intangible Internet resources. It can be seen from the network office environment of these organizations that the administrative structure is a pyramid type, but the network management of the LAN is planar. From the perspective of network security, when the company's internal system is invaded, destruction and leakage is a serious Problems, and more about network security issues should cause us attention. According to statistics, more than 80% of invasions around the world come from internal. In addition, non-self-disciplined employees may cause huge losses on network resources.
When merchants, banks and other commercial and financial institutions have entered the Internet in e-commerce boom, and digital government-based digital governments will interconnect state organs with Internet. Through Internet implementations include individuals, companies and governments have gradually become a reality. As the range of network applications continues to expand, all kinds of attacks and destruction of the network are increasing. Regardless of government, business, or finance, media websites are all invaded and destroyed. Network security has become an important part of the national and national defense security, and it is also the key to the development of the national network economy.
According to statistics: The information thief has grown at 250% in the past five years, and 99% of large companies have happened. The world famous business website, such as Yahoo, Buy, Ebay, Amazon, CNN has been hacked, causing huge economic losses. Even RSA websites specializing in network security are also attacked by hackers.
The detection and prevention of intrusion attacks, safeguards the safety of computer systems, network systems and the entire information infrastructure, has become an important topic.
Network security is a systematic concept, a valid security policy or plan to develop, and is the primary goal of network information security. Network security technology mainly, certified authorization, data encryption, access control, security audit, etc. Introducing intrusion detection techniques, which focuses on this paper is one of the core technologies in safety audits, and is an important part of network security protection.
Intrusion detection technology is a technique that is designed and configured to ensure the safety of computer systems and reporting unauthorized or abnormal phenomena in a computer network is a technique for detecting violations of security policy behavior in a computer network. Violation of safety strategies are: intrusion - illegal users' violations; abuse - user violations.
With audit records, intrusion detection systems can identify any undesirable activities to limit these activities to protect the security of the system. The application of intrusion detection system can detect intrusion attacks before the intrusion attack is harmful to the system, and use the alarm and protective system to expel the intrusion attack. During the invasion attack, the loss caused by the invasive attack can be reduced. After being invaded, the relevant information of the intrusion attack is collected. As the knowledge of the prevention system, add it into the knowledge base to enhance the system's prevention capabilities.
Intrusion detection product analysis
1. Intrusion detection product
After several years of development, intrusion detection products began to enter a rapid growth period. An intrusion detection product is usually composed of two parts: Sensor and console. The sensor is responsible for acquiring data (network package, system log, etc.), analyzes data and generates security events. The console mainly plays a role in central management, and commercial products typically provide consisters of graphical interfaces, which basically support Windows NT platforms.
From a technical point of view, these products are basically divided into the following categories: network-based products and host-based products. The mixed intrusion detection system makes up for some network-based and host-based sheetic defects. In addition, the integrity check tool for files can also be seen as a class of intrusion detection products.
2. Network-based intrusion detection
Network-based intrusion detection products (NIDs) are placed in a more important network segment, keeping various packets in the network segment. Feature analysis of each packet or suspicious packet. If the packet is consistent with certain rules built into the product, the intrusion detection system will issue an alert or even cut off the network connection. At present, most intrusion detection products are based on network. It is worth mentioning that in the network intrusion detection system, there are many prestigious open source software, they are Snort, NFR, Shadow, etc., where Snort's community (http://www.snort.org) is very active, The progress of the invasive feature update and R & D has exceeded most of the commercial products. Advantages of network intrusion detection system:
The network intrusion detection system can detect those attacks from the network that can detect illegal access to authorization.
A network intrusion detection system does not need to change the configuration of the host and other hosts. Since it does not install additional software in the host of the business system, it does not affect the use of resources such as CPUs, I / O disks, and does not affect the performance of the business system.
Because the network intrusion detection system does not work like a critical device such as a router, firewall, it does not become a critical path in the system. The network intrusion detection system has failed to affect the operation of the normal business. The risks of a network intrusion detection system are much less risky than the host intrusion detection system.
The network intrusion detection system has a trend toward specialized equipment in recent years. It is very convenient to install such a network intrusion detection system, just connect the customized device to the power supply, do very little configuration, connect it to the network .
Weak point of the network intrusion detection system:
The network intrusion detection system only checks communication therebetween and cannot detect the network packets of different network segments. The limitations of monitoring ranges will occur in the environment where exchange of Ethernet is used. The sensor of installing multiple network intrusion detection systems will increase the cost of the entire system of the deployment.
Network intrusion detection system typically uses features detection methods for performance targets, which can detect some of ordinary attacks, and it is difficult to implement some complex attack detections for large amounts of calculation and analysis time.
The network intrusion detection system may put a large number of data transfer in the analysis system. Monitor specific packets in some systems produce a large number of analytical data traffic. Some systems use a certain method to reduce the amount of return data, and the decision of the intrusion judgment is implemented by the sensor, and the central console is a status display and communication center, no longer an intrusion behavior analyzer. The sensor in such a system is weaker.
The network intrusion detection system handles the encrypted session process. At present, there is not much attack by the encrypted channel, but with the popularity of IPv6, this problem will become more and more prominent.
3. Host-based intrusion detection
The host-based intrusion detection product (HIDS) is usually installed on the host that is focused, mainly for the network real-time connection of the host and the system audit log for intelligent analysis and judgment. If the subject is very suspicious (characteristics or violation of statistics), the intrusion detection system takes appropriate measures.
Advantages of host intrusion detection systems:
Host intrusion detection systems are very useful to analyze "possible attack behavior". For example, sometimes it indicates that the intruder tries to perform some "dangerous commands", can distinguish what the invasioner did: what procedure did they run, which files have been opened, which system calls are executed. Host invasion detection systems can provide more detailed related information compared to network intrusion detection systems.
Host intrusion detection systems are usually lower than the network intrusion detection system, because the command sequence detected on the host is more simple than the detection network stream, and the system has less complexity.
The host intrusion detection system can be distributed in the case where there is no extensive intrusion detection, and the communication bandwidth between the sensor and the console is insufficient. The host intrusion detection system is less risk when not using response methods such as "stop service", "logout users".
The weaknesses of the host intrusion detection system:
The host intrusion detection system is installed on the device we need to protect. For example, when a database server is to be protected, an intrusion detection system is installed on the server itself. This reduces the efficiency of the application system. In addition, it also brings some additional security issues, and after installing the host intrusion detection system, the server that does not allow security administrators has power to access to him can be accessed. Another problem with the host intrusion detection system is that it relies on the inherent log and monitoring capabilities. If the server does not configure logging, it is necessary to reconfigure, which will give an unforeseen performance impact on the running business system.
Comprehensive departure host intrusion detection system is large, it is difficult for companies to protect all host host intrusion detection systems, and only some host protection can be selected. Those machines that do not have the host intrusion detection system will become a blind spot, and intruders can use these machines to achieve attack targets.
In addition to monitoring its own host, the host intrusion detection system does not monitor the situation on the network. The amount of work for the analysis of intrusion will increase as the number of hosts increase.
4. Mixed intrusion detection
Network-based intrusion detection products and host-based intrusion detection products have deficiencies, and use a class of products that can cause active defense systems. However, their shortcomings are complementary. If these two types of products can be seamlessly coupled to the network, they will build a complete stereotactive defense system, combined with network and host-based intrusion detection systems, which can be found in the network. Information can also be found in the system log.
5. File integrity check
Document Integrity Check System Check the file change after the last check. The File Integrity Check System Saves a digitally abstract database for each file. When each check, it recalculates the digital abstracts of the file and compare it with the value in the database. If the file has been modified, if the file has been modified, if the same, The file did not change.
Digital Drawing of Documents Calculated through the Hash function. Regardless of the length of the file, its Hash function calculation result is a fixed length of numbers. Unlike encryption algorithms, the Hash algorithm is an irreversible one-way function. With high security HASH algorithms, such as MD5, SHA, two different documents are almost impossible to get the same HASH results. Thus, when the file is modified, it can be detected. In the file integrity check, it is the most comprehensive TripWire that is Tripwire, and its open source version can be obtained from www.tripwire.org.
Advantages of the File Integrity Check System:
From mathematical analysis, overcome document integrity checking systems, whether it is time or space is not possible. The file integrity check system is a very powerful test file modified tool. In fact, the file integrity check system is one of the most important tools that are illegally used by the system.
The file integrity check system has considerable flexibility, which can be configured to become all files or certain important files in the monitoring system.
When an intruder attacks the system, he will do two things. First, he wants to cover his trace, that is, he wants to hide his activities by changing executable files, library files or log files in the system; others, he To make some changes to ensure the next time you can continue to invade. Both activities can be detected by the file integrity check system.
File Integrity Check System Weak:
Document Integrity Checking System Depending on the local information database. As with the log file, these data may be modified by intruders. When an intruder gets administrator privileges, after completing the damage activity, you can run the file integrity check system to update the database, thus crossing the system administrator. Of course, you can place a draft database on a read-only medium, but such a configuration is not flexible.
To make a complete file integrity check is a very time consuming job, in TripWire, you can choose to check some system features instead of a complete summary, thus speeding up the check speed.
Some normal updates can bring a lot of file updates, resulting in more complicated checkup and analysis work, such as upgrading MS-Outlook in the Windows NT system will bring 1800 file changes. Intrusion detection technology analysis
Technical classification
The techniques used in intrusion detection systems can be divided into two types of feature detection and abnormality.
Feature detection
Signature-based detection, also known as MISUSE Detection, which assumes that intruder activity can be represented by a mode. The system's goal is to detect whether the main activity is in line with these modes. It can check existing intrusion methods, but it is powerless to new intrusion methods. Its difficulty is how to design patterns can both express "intrusion" phenomena and will not contain normal activities.
abnormal detection
The assumption of anomaly detection is the activity of an intruder activity is abnormal in the normal body. According to this concept, the "activity profile" of the main body is established, and the current situation is compared to the "activity profile". When it violates its statistics, it is considered that the activity may be "invasion" behavior. The problem of abnormal detection is how to build "Activity Profile" and how to design statistical algorithms, so that normal operations are not "invasive" or ignore the true "intrusion" behavior.
2. Common detection method
Intrusion detection system commonly used detection method has characteristic detection, statistical detection and expert system. According to the report of the Ministry of Public Security Computer Information System Safety Product Quality Supervision and Inspection Center, 95% of intrusion detection products in China are characteristic inspection products that use intrusion templates for pattern matching, and other 5% are statistical test products with probability statistics. Log-based expert knowledge base products.
Feature detection
Feature detection makes a certain description of known attacks or invasions to form a corresponding event mode. When the audited event matches the known intrusion event mode, the alarm is alarm. In principle, it is similar to the expert system. The detection method is similar to the detection of computer viruses. Currently based on pattern matching applications description in package feature.
The method predicts the accuracy detection of the detection, but the invasion and attack behavior of no experience is powerless.
Statistical detection
The statistical model is commonly used for abnormal detection, and the measurement parameters commonly used in the statistical model include: the number, interval, and resource consumption of the audit event. The five statistical models of common intrusion detection are:
● Operation model, the model assumes that the abnormality can be compared to some fixed indicators by measurement results, and the fixed indicators can be obtained according to the statistics of the empirical value or for a period of time, for example, multiple failed logins in a short time It may be a password attempt to attack; ● Variance, calculate the variance of the parameter, set its confidence interval, indicate that it may be anomalies when the measured value exceeds the confidence interval; ● Multi-model, operation model extension Parameter implementation; ● Markov process model, define each type of event as a system state, use the status transfer matrix to indicate changes in the state, or when an event occurs, or the probability of the transfer may be smaller. Abnormal events; ● Time series analysis, the event count and resource consumption is based on time, and if a new event occurs low in this time, the event may be invading.
The biggest advantage of statistical methods is that it can "learn" users' habits, thereby having higher detection rates and availability. But its "learning" capability also gives intruders to make intrusion events in accordance with the statistical laws of normal operation by gradually "training", thus transmitting the intrusion detection system.
expert system
Use an expert system to detect intrusion, often for feature intrusion. The so-called rules are knowledge, different systems and settings have different rules, and there is often no versatility between rules. The establishment of an expert system relies on the intensity of the knowledge base, and the completeness of the knowledge base depends on the completeness and real-timeness of the audit record. The characteristics and expression of intrusion are the key to intrusion detection expert system. In system implementation, the knowledge of the invasion is converted to the IF-THEN structure (or a composite structure), and the conditional portion is intrusion, and the THEN is system prevention measures. The effectiveness of using expert systems to prevent feature intrusion depends entirely on the completeness of expert system knowledge base. Intrusion detection product selection points
The main points to consider when you choose an intrusion detection system:
System price
Of course, the price is the main point, but the performance price ratio, and the value of the protection system is more important.
2. Fees for upgrades and maintenance of the feature library
Like anti-virus software, the feature library of intrusion detection needs to be continuously updated to detect new attack methods.
3. For network intrusion detection systems, how much can be handable traffic (package / second PPS)
First, to analyze the network environment stored by the network intrusion detection system. If the network intrusion detection system is distributed online in 512K or 2M, there is no need to high-speed intrusion detection engine, and in a high load environment, performance is one Very important indicator.
4. Is this product easy to be evaded?
Some commonly used methods of avoiding intrusion detection, such as: fragmentation, TTL spoofing, abnormal TCP segmentation, slow scan, synergistic attack, etc.
5. Scalability
The number of sensors supported by the system, the maximum database size, the communication bandwidth between the sensor and the console, and the processing of the audit log overflow.
6. Overhead of running and maintaining systems
Product report structure, handling false positives, the convenience of events and matters, and the number of technicians needed to use the system.
7. Product support for intrusion feature
Different vendors are different from the calculation methods of the detection feature library size, so they can't listen to the words of one side.
8. What kind of response is available?
It is necessary to invest in a number of local, remote and other angles. Automatic Change The firewall configuration is a function of sounding "cool", however, automatic configuration of the firewall can be an extremely dangerous move.
9. Whether the evaluation of national authorities
The main authority assessment agencies are: National Information Security Evaluation Certification Center, the Ministry of Public Security Computer Information System Safety Product Quality Supervision and Inspection Center.
Intrusion detection technology development direction
Regardless of the scale and method, invading techniques have changed in recent years. The means and technology of intrusion also have "progress and development". The development and evolution of intrusion technology is mainly reflected in the following aspects:
Integration and complexity of intrusion or attacks. There are a variety of invasions, and intruders tend to take an attack. Due to the multiplication of network prevention technology, the difficulty of attacks, making the intruder often take a variety of intrusion when implementing intrusion or attacks, to ensure the success of the invasion, and can cover the attack or invading at the initial incidence of attack implementation Real purpose.
Intercourse the interruption of the subject object, that is, the concealment of the subject of the invasion and the attack. Through certain technologies, the source site and host position of the attack body can be masked. That is, after the hidden technology is used, the subject attacked by the target cannot be determined directly.
The scale of intrusion or attack is expanded. For the invasion and attack of the network, it is often targeted for a company or a website, the purpose of its attacks may be the hunting behavior of certain network techniques, nor eliminating the commercial theft and destruction. Because the war is growing and large, the war is increasing, and the development is gradually upgraded to the electronic warfare and information war. For information war, regardless of its scale and technology, the intrusion and attacks of computer networks in the general sense are not comparable. The success or failure of the information war and the security of the national main communication network are the same national security as the territorial security of any sovereign state.
Distribution of intrusion or attack technology. In the past, invasion and attack behavior tend to be executed by a single machine. Such behavior cannot be effective due to the development of prevention technology. The so-called distributed rejection service (DDoS) can cause paralysis of the attack host in a short period of time. And the single-machine information model of such distributed attacks is not different from normal communication, so it is often not easy to be confirmed in the initial stage of attack launch. Distributed attacks are the most commonly used attack methods in the near future. Transfer of an attack object. Intrusion and attacks are often used by the network as the subject, but the recent attack behavior has had strategic changes, and the attack network is changed to the attack network to attack the network's protection system, and have a more intense trend. There is now a report specifically for IDS attacks. An attacker analyzes the IDS's audit method, feature description, and communication mode finds the weaknesses of IDS, and then attacks.
The future intrusion detection technology can be developed in three directions.
Distributed intrusion detection: the first layer meaning, that is, the detection method for distributed network attacks; the second layer means that the distributed method is used to detect distributed attacks, and the key technologies are synergistic and intrusion attacks for detection information. The extraction of global information.
Intelligent intrusion detection: Eyebrow detection is performed using intelligent methods and means. The so-called intelligent method, which is commonly used in the context of neural network, genetic algorithm, fuzzy technique, immunoincinal principle, and other methods, which are often used in the identification and generalization of intrusion characteristics. It is also a common method for building intrusion detection systems using the idea of expert systems. In particular, an expert system with self-learning ability, achieving the continuous update and expansion of the knowledge base, making the design intrusion detection system have been continuously enhanced, and should have a broader application prospect. Attempts to apply the concept of intelligent body to perform intrusion tests have also been reported. A more consistent solution should be used for the intrusion detection system in high-efficiency conventional sense and the combination of detection software or module with intelligent detection functions.
Comprehensive safety defense program: Take network security as an overall project using security engineering risk management. From management, network structure, encryption channel, firewall, viral protection, intrusion detection multi-position comprehensive evaluation of the network of concerns, and then proposes a feasible comprehensive solution.