Development trend of intrusion detection products
2003-10-08 ■ Author: ■ Source: NEW YORK Network Security
1. Development status of intrusion detection products
Intrusion Detect System, it is basically divided into two types: Host Intrusion Detection System (HIDS); Network Intrusion Detection System (NIDS). Host Intrusion Detection System Analysis Object is the host audit log, so you need to install software on the host. For different systems, different versions are required to install different host engines, and the installation configuration is more complicated, and the operation and stability of the system have an impact. There is currently less domestic applications. Network intrusion monitoring and analysis objects are network data streams, only need to be installed on the network's listening port, there is no impact on the operation of the network, and there is a wide range of domestic use. This article analyzes the current use of a wide range of network intrusion monitoring systems.
2. Why do I need an intrusion detection system?
currently in network security, domestic users have a high degree of cognitive on firewall, and most of the role of intrusion detection systems is not very understandable. The firewall plays to the role of the gate guard in network security. The imported data is matched according to a predetermined rule, which is in line with the rules, and the role of access control is the first gate of network security. Excellent firewalls even perform dynamic analysis of the high-level application protocol to protect the security of the data application layer. But the function of the firewall also has limitations. The firewall can only analyze the data of the entry and exit network, and the events occurring within the network are completely unable to force. At the same time, since the firewall is in the gateway position, it is impossible to make too many judgments on the entry and out of attack, otherwise it will seriously affect network performance. If the firewall is more guarded by the gate guard, intrusion detection is an uninterrupted camera in the network, intrusion detection is uninterrupted by the way bypass the way to collect network data, and there is no impact on the operation and performance of the network, and it is judged whether it contains Attempt to attack, to the administrator alarm through various means. Not only can you find an external attack, you can also find internal malicious behavior. Therefore, the intrusion detection is the second gate of network security, which is the necessary supplements of the firewall, constitute a complete network security solution.
3. Intrusion detection system currently exists. Intrusion detection system has such a major role, but in China, the application is far from being popular, on the one hand, because the user's cognitive level, on the other hand due to Intrusion detection is a relatively new technology, there are still some technical difficulties, not all manufacturers have the strength of investigating intrusion detection products. Most of the current intrusion detection products have such problems:
(1). Contradiction between false positives and missing
The intrusion detection system analyzes all the data on the network. If an attacker attacks the system, the system is open, but the vulnerability has been repaired, then this attack needs alarm, this is a need for administrator judgment. problem. Because this also represents an attempt of attack. But a large number of alarm events will disperse administrators, but they cannot reflect the real attack. Corresponding to the false statement is a drain, as the attack method is constantly updating, whether the intrusion detection system can report all the attacks in the network is also a problem.
(2). Privacy and security contradiction
The intrusion detection system can receive all the data from the network, and it can be analyzed and recorded, which is important to network, but it is inevitable that the user's privacy is a certain risk, which is to see if the specific intrusion detection product is It can provide corresponding functions for administrators.
(3). Passive analysis and the contradiction of active discovery
The intrusion detection system is to discover network issues in passive monitors and cannot actively discover security hazards and faults in the network. How to solve this problem is also the problem facing intrusion detection products.
(4). Contradiction between mass information and analysis cost
With the continuous growth of Internet data traffic, the data in invasive detection products can handle efficient processing networks is also an important basis for measuring intrusion detection products.
(5). Functional and manageability Contradictions With the increase in intrusion detection, can no management is increased while the function is increased. For example, all information of the intrusion detection system is stored in the database, can this database automatically maintain and back up without administrator intervention? In addition, what is the security of intrusion detection system? Is it easy to deploy? What kind of alarm mode is used? It is also a factor that needs to be considered.
(6). Contradictions in a single product and complex network application
The most intruded detection product is to detect the network's attack, but only detects that the attack in the network is far from being able to meet the current complicated network application requirements. Usually, the administrator is difficult to distinguish between the network: Is it because of an attack or a network failure. How to deal with the attack event detected by the intrusion detection, can cooperate with other security products in the current network.
4. Development trend of intrusion detection technology
(1). Analytical technology improvement
The intrusion detection and false positives and the resolution of the leaks ultimately rely on the improvement of analysis technology. Current intrusion detection analysis is mainly: statistical analysis, pattern matching, data reorganization, protocol analysis, behavioral analysis, etc.
Statistical analysis is the number of related events in the statistical network to achieve the purpose of discriminating attacks. Mode matching uses the feature character for the attack to complete the detection of the attack. Data reorganization is a recombination of data streams of network connections, not just a single packet.
The protocol analysis technology is based on the restructuring of network data streams, understanding the application agreement, reuse the technique of pattern matching and statistical analysis. For example, an attack-based attack contains an ABC feature. If this data is dispersed in several packets, such as: one data contains A, the other includes B, and the other includes c, then a simple mode match cannot be detected. Only data stream reorganization can be fully detected. Use protocol analysis. This event will only be alarm only in accordance with the agreement (HTTP). Suppose this feature appears in Mail, because it does not match the agreement, it will not be alarm. This technology is used to effectively reduce false positives and missions.
Behavioral analysis technology not only simply analyzes a single attack, but also to confirm whether there is an attack, the attack behavior is effective, which is the highest realm of intrusion detection and analysis technology. However, due to the difficulty of the algorithm processing and rules, it is not very mature, but it is the trend of intrusion detection technology. It is best to use a variety of testing techniques, not just relying on traditional statistical analysis and pattern matching techniques. In addition, whether the rule base is timely updated and the accuracy of the test is related to the accuracy of the detection.
(2). Introduction of content recovery and network audit function
It has been mentioned earlier that the highest realm of intrusion detection is behavioral analysis. However, it is not very mature before behavior analysis, so individual excellent intrusion detection products introduce content recovery and network audit function.
The content recovery is based on protocol analysis, and any behavior that has occurred in the network should be a complete restructuring and record, and any behavior that occurs in the network fled its monitoring. Network audits are recorded in all connection events in the network. Intrusion detection access method determines network audits in the intrusion detection system not only similar to the firewall to record network access information, but also record network internal connection conditions, this function is especially useful to recover content recovery.
The content recovery and network audit allows administrators to see the real health status of the network, in fact, mobilizing administrators participate in behavioral analysis process. This feature not only enables administrators to see an alarm of the isolated attack event, but also see the entire attack process, understand the attack does happen, check the attacking process, understand the hazard caused by attacks. Not only did known attacks, but found unknown attacks. Improper discovery of external attackers attacks, and found internal users' malicious behavior. After all, the administrator is the most understanding of its network. The administrator has achieved behavioral analysis by this feature. But use this feature to pay attention to the protection of user privacy.
(3). Integrated Network Analysis and Management Features Intrusion Test is not only a testing of cyber attacks. At the same time, the invasion test can receive all the data in the network, which can play a significant role in the fault analysis and health management of the network. When the administrator finds that a host has problems, it hopes to manage it immediately. Intrusion detection should not only use passive analysis methods, it is best to combine with active analysis. Therefore, intrusion detection products integrated network management function, scanner, sniffer (Sniffer) and other functions are the direction of future development.
(4). Improvement of security and ease of use
Intrusion detection is a safety product, it is extremely important. Therefore, most intrusion detection products use hardware structures, black-hole access, and exempt from their own safety issues. At the same time, the requirements for ease of use are also increasing, such as: full Chinese graphical interface, automatic database maintenance, diverse report output. These are the characteristics of excellent intrusion products and continue to develop refinement in the future.
(5). Handling method for improving large data quantities network
With the requirements of large data processing, the performance requirements of intrusion detection are gradually improved, and Gigabit intrusion detection has occurred. However, if the intrusion detection detection product has not only an attack analysis, but also has a content recovery and network audit function, its storage system is difficult to work in a Gigabit environment. In this case, network data divide is also a good solution, and the cost performance is better. This is also a more common practice.
(6). Firewall joint function
intrusion detection discovery attack, automatically sent to the firewall, firewall loading dynamic rules intercepted invasion, called firewall joint function. At present, this feature has not yet to completely and use, mainly a concept. Just use it will result in many problems. At present, the main application objects are automatic attacks, such as NIMDA, etc., linkage only has a certain role in this occasion. Unlimited use linkage. If it is not fully tested, the stability and network applications of fire prevention will have a negative impact. However, with the improvement of the detection accuracy of the intrusion detection product, the linkage function is increasingly practical.
5. to sum up
Current intrusion detection is a brand new technology, and there is a major role in the security of the network, but there are also some technical issues that need to be solved or resolved. The application of intrusion detection will be increasing, the following is the evaluation of an intrusion detection Whether the product excellent standard:
1. Efficient data intercepts. Intelligent data stream restructuring 3. Powerful intrusion identification 4. Comprehensive content recovery . Complete network audit 6. Real-time network monitoring 7. Integrated network management 8. Easy access 9. Easy to use management 10. Flexible deployment 11. Rich alarm method 12. Diverse output results 13. Strict self-safety 14. Highly integrated
In short, the goal of intrusion detection products is to become a "comprehensive network health analysis management platform". (Tianji Forum)