Author: China Computer News Source: China Computer Newspaper - SEOUL one application IDS difficulty of how to solve the problem of false positives? The false positive rate has always been one of the technical difficulties of IDS products. Many companies have their own different solutions. There are two ways to work in Symantec: First, the application range of IDS products (such as the work platform) is classified in advance. For example, a corporate network that only has a Windows platform, the IDS contains the detection feature functionality for UNIX platform attacks to be ignored, thereby avoiding false positives. The second is to solve the problem from the root cause, that is, by complementary products to reduce IDS's false positives. Symantec's existing risk management products, you can first help companies find vulnerabilities, and find out the source of weakness, and then apply IDS, apply IDS, and its false positive rates in the premise of blocking these vulnerabilities. Will be greatly reduced. Dongping believes that IDS's drain and false positives are a pair of contradictions. Its product NETEYE IDS can reorganize network data on the basis of understanding the network protocol, and provide content recovery capabilities of application protocols. Recovery and playback, not only detect attacks, but also reproduce the process of attacks. In this way, it can not only find an external attack, but also the malicious behavior of internal users. With content recovery, administrators can accurately understand whether the attack occurs and effectively reduces false positives. Shanghai Jinnuo's Jinnuo Network An Intrusion Detection System KIDS, combined with security policy optimization, event merge, event association, and multiple testing techniques, etc., to solve the false positive rate problem. Jinnuo Netan Kids uses a new generation of intelligent testing technology in Jinnuo, based on package characteristics, fully combined with the protocol status analysis, traffic abnormal detection and other technologies, guaranteed to detect the latest attack behavior In the premise, some unknown illegal intrusion behavior is found in time, thereby ensuring accuracy and extensiveness of the detection. In addition, KIDs also utilizes common technologies such as TCP stream reorganization and IP fragmentation, which can effectively reduce the system's false positives and missions. How to reduce the leakage rate and false positive rate of port scanning? The method used by early IDs is to define a period of time, as discovered over this time period, which is considered to be a port scan. The disadvantage of this approach is that if the time of the scan exceeds the defined period of time, the scanned port is less than the number of reservations, such scans will not be recognized. If you analyze the collected long-term data, some very slow scans also escape the monitoring of IDS. This solution is some in the Oriental Dragon Horse Intrusion Detection System. How is the two iDS application difficulties judgment detection speed? The detection speed of IDs is a technical problem that affects NIDS. In response to the network, the network is invasive, each NIDS-based throughput is certain, and ordinary IDS products may cope with general-scale enterprise testing requirements, but there is difficult to telecommunications-level large companies. In this regard, Symantec recommends that if corporate financial resources are allowed, you can consider simultaneous installation of several IDs in the network, respectively, respectively, which can solve the problem of insufficient detection speed throughput. In addition, it is possible to consider that the antivirus tool covering the enterprise network terminal is a foothold. Antivirus tool integrates some IDS functions, so that IDS is implemented on each PC within the network to solve the problem of detection speed. At present, Symantec is doing this work. East-soft NETEYE IDS improves the detection speed method. The data recombination is performed on the kernel level of the operating system, and the driving of the data is charged, reducing the data copy of the system core to the user space, and improves the performance of the system.
NETEYE IDS is a soft-hard system structure, selects high-performance dedicated hardware, and guarantees the optimization of hardware performance by selecting a dedicated database, not only reducing the user's management burden, but also Greatly increases storage efficiency. Shanghai Jinnuo is on solving the test speed problem, first optimizing the system's hardware platform, making hardware performance best, then uses some advanced technology, such as high-performance network packet processing technology (including Jinnuo Net Anti Unique zero copy technology, zero system call technology, etc.), high performance protocol analysis techniques (including protocol state-based detection techniques) and pre-analyzed detection techniques. Ids application difficulties three hids and nids, which one is better? Symantec believes that NIDS only checks the communication of its direct connection to the network segment, and cannot detect the network packets of different network segments. The monitoring range will appear in the environment where the exchange Ethernet is used. The HIDS system can detect a network package in a variety of network environments. The NIDS system typically uses a method of characteristic detection in order to perform a performance target, which can detect some of ordinary attacks, and it is difficult to implement some complex need to detect a large amount of calculation and analysis time. And this is the strength of HIDS. The sensor in the NIDS system is weaker, and the system handles the encrypted session process is more difficult, and there is no such obstacle for HIDS. On the other hand, since the HIDS system relies on time intervals of periodic detection in the time of the reaction, the reaction is slow, and the detection of the real-time nature is not based on the network-based IDS system. In view of this, Symantec suggested that while implementing NIDS systems, adding agents on a particular sensitive host is a relatively perfect strategy. Because the HIDS and NIDS parallel can be complementary. The network part provides an early warning, while the host-based part can provide analysis and confirmation of the success of attacks. Although HIDS has high accuracy, the disadvantage is that different systems require different engines. When the system is upgraded, it is necessary to upgrade engine, installation, and maintenance, and cannot find an attack event on the network. And the network-based IDS installation and commissioning is simple, do not need to install any software on the system, the number of engines needed, and the number of engines can be found in the network, and the concearation is better. The disadvantage of NIDS is that the accuracy is low, and with the increase of network traffic, the difficulty of processing peak traffic is increased. At present, there are fewer products based on HIDS on the market, only Symantec's Intruder Alert. There are many NIDS products, like East Soft, Rising, oriental Longma and other companies. In addition, some companies have also introduced products that integrate HIDS and NIDS. At present, Jinnuo has an intrusion detection system with independent intellectual property rights - Kids, which is a comprehensive network intrusion detection system that protects important network segments and critical hosts, which can truly provide an effective business unit. Safety protection system. ? Ids application difficulties four how to choose an ideal IDS? When it comes to network security, people first think of the anti-virus and firewall. Because it can protect the network behind the fire wall is not affected by the outside world. At present, the penetration rate of IDS is obviously less like anti-virus, and the application proportion of firewall products is high. Information security manufacturers must first educate our users in concept, and timely provide real-time active protective products IDS for network threats; on the other hand, the use of vendors' technology and product advantages continue to meet the key needs of users. How to choose the right IDS product? In addition to the two important reference indicators of false positive rate and detection speed, users need to make a proper selection after complementability from HIDS and NIDS's advantages and disadvantages, and users should improve in security services. Entrusted the level of understanding of the outsourcing. Users can choose an ideal IDS by considering the following elements.
