IDS Introduction Introduction Introduction is a technique that is designed and configured to ensure the safety of computer systems, and is an unauthorized or abnormal phenomenon in the system. It is a technique for detecting violations of security policy behavior in a computer network. Intrusion detection systems can identify any undesirable activities, which may come from external and internal networks. The application of intrusion detection system can detect intrusion attacks before the intrusion attack is harmful to the system, and use the alarm and protective system to expel the intrusion attack. During the invasion attack, the loss caused by the invasive attack can be reduced. After being invaded, the relevant information of the intrusion attack is collected. As the knowledge of the prevention system, add it into the knowledge base to enhance the system's prevention capabilities. Typical IDS system models include three functional components: 1. Provide information source 2 for event recording streams. Find the analysis engine 3 of the invasion signs. The response part of the analysis engine based on the analysis of the analysis engine is currently the current IDS as an important part that can only be a network security overall solution, and needs to be closely related to other security devices to solve network security issues. Perhaps the future IDS needs a new system system to overcome the shortcomings of themselves, but currently can only be organically integrated with other functional modules of IDs. Together to solve the security problem of the network, this requires the introduction collaboration. Data acquisition collaborative intrusion detection requires the acquisition of dynamic data (network packets) and static data (log files, etc.). Network-based IDs, only detects the network layer through the original IP packet, can no longer meet the growing security needs. Based on host IDS, it is difficult to find network attacks from the underlying network by directly viewing user behavior and operating system log data. Current IDS collects the acquisition, analysis of the network packet, and analyzes the acquisition of the log file, even if it is a network and host-based IDS, it is not considered in the correlation between the two types of raw data. In addition, on the acquisition of the network packet, IDS has always been to obtain data by sniffing this passive manner, and it cannot be recovered once a data package is lost. Moreover, future networks are all exchanged networks, and the network speed is getting faster and faster, and many important networks are encrypted. In this case, the collection of dynamic data for network data packages is more difficult. Therefore, in data acquisition, the data acquisition is performed and fully utilized to improve the primary conditions of increasing intrusion detection capabilities. There are two important aspects of data collection collaboration: 1. Coordination of IDS and Vulnerability Scanning System: Vulnerability Scanning System features a complete vulnerability library, scanning individual hosts in the network, giving a comprehensive report for the network, operating system, and running apps existing in the host. Then propose a loophole auction method and eventually gives a risk assessment report. One aspect of the synergy of IDS and scanning system can utilize scanning results of the scanning system to do have a number of vulnerabilities in the current network or system and applications, and then use the scan results to modify the warning policy, so as can be as possible Reduce false positives, and it is also possible to make an alarm implicitly in the normal behavior. On the other hand, IDS can also utilize the analysis of daily alarm information, modify the scanning policy of the vulnerability scanning system, and make an appointment scan, which may be timely prevention of the vulnerability that may be attacked. On the other hand, the vulnerability scanning system can also utilize the alarm information of IDs, and see if some hosts perform specific vulnerabilities, see if the vulnerability is really existed, if there is a report, it is necessary to block a message.
2. The synergy of IDS and antivirus system: On the one hand, the IDS may make a warning according to certain features, but because the IDS itself is not an anti-virus system, whether the host in the network is true Attacks that are being subjected to computer viruses, not very accurate forecasting. At this time, the anti-virus system has used martial arts, which can be verified to the IDS virus alarm information, and appropriate processing of host systems that have been attacked by viral attacks. .
IDS new technology introduction (2) Author: Venus Source: CCID January 13, 2003 collaborative data analysis Intrusion detection not only need to use pattern matching and anomaly detection techniques to analyze data collected by a detection engine to find some Simple intrusion behavior needs to use data mining technology to analyze the audit data submitted by multiple detection engines to discover more complex intrusion. In theory, any network invasion can be found because network traffic and host logs record intrusion activities. Data analysis collaboration needs to be performed on both levels. First, collaborative analysis of data acquired by a detection engine, comprehensive use of detection techniques to discover more common, typical attack behavior; second, the audit from multiple detection engines Data, using data mining technology to analyze to discover more complex attack behavior. The assessment IDS data analysis capabilities can be carried out three aspects regardless of accurate, efficiency and usability. Based on this, it can be considered that the detection engine is the best place to complete the first data analysis collaboration, and the central management control platform is the best place to complete the second data analysis. When the detection engine is not a single data, it is important to use various detection techniques. From the characteristics of the attack, some attack methods use abnormal detection to detect it easily, and some attack methods use pattern matching to detect very simple. Therefore, for the design of the detection engine, first need to determine the detection strategy, identify which attack behavior belongs to the category of abnormal detection, which attacks belong to the scope of pattern matching. The central management control platform performs more advanced, complex intrusion detection, which faces audit data from multiple detection engines. It can be "correlated" analysis on network activities in various regions, and its results provide support for the next time period and detection engine. For example, hackers often use various detector to analyze vulnerable vulnerabilities on the most vulnerable hosts and hosts in the network, during formal attacks, because hackers' "attack preparation" activity record has been recorded. Therefore, IDS can make judgments on this attack activity in a timely manner. Currently, discussing more methods on this level is data mining technology, which detects invasion by the correlation of audit data, and can detect new offensive methods. The detection model of traditional data mining technology is from offline, just like integrity detection technology, because traditional data mining technology must handle large amounts of audit data, very time consuming. However, effective IDs must be real-time. Moreover, the data mining IDS is not enough only in terms of detection rate than the detection rate, only the false pledge is also available in an acceptable range. The University of Columbia proposed a real-time intrusion detection technology based on data mining, which proves that data mining techniques can be used for real-time IDS. Its basic framework is: First extract characteristics from audit data to help distinguish between normal data and attack behavior; then use these features for pattern matching or abnormal detection models; then describe an artificial abnormal generation method to reduce abnormal detection algorithms Mrror report rate; finally provides a method of combining a mode matching and anomaly detection model. Experiments show that the above method can improve the detection rate of the system without reducing the performance of any detection model. Based on this technology, real-time IDS for data mining is generated by the engine, detector, data warehouse, and model, as shown in the figure. Among them, the engine observes the original data and calculates the characteristics of the model assessment; the detector acquires the engine's data and uses the detection model to assess whether it is an attack; the data warehouse is used as the center of the data and the center of the model; the main The purpose is to speed up development and distribute the speed of new intrusion detection models.
The response has been discussed earlier, since the position of the IDS is quite limited in the network, the response is integrated with network devices or network security devices with adequate response capabilities, constitute a synthesis of response and warning complementary Safety system. The response is mainly included in several aspects below. 1. The synergy of IDS and firewall: The firewall can be well complementary and IDS. This complementarity is reflected in two levels of static and dynamic. The static aspect is that IDS can make more effective analysis of security events on the network by understanding the policies of the firewall, thereby achieving accurate alarms, reducing false positives; The established connection is effective to block while notifying the firewall to modify the strategy to prevent potential further attacks. 2. IDS and router, the switch of the switch is usually connected in the network because the switches and router firewalls are generally connected. At the same time has a predetermined policy, you can determine the data flow on the network, so the IDS and switches, routers, firewall with IDS collaboration with the Association of IDS introduction of new technologies (3) Author: Venus Source: CCID January 13, 2003 Japan 3. The collaboration of IDS and antivirus system and the collaboration of the antivirus system has been discussed in the data collection collaboration, but in fact, the antivirus system is actually, and the killing is an indispensable two aspects. There is data collection and cooperation, and there is a response in the killing level. If IDS can also block the established connection by sending a large number of RST packets, some extent replace the firewall's response mechanism, it is simply unable to prevent computer suffering from virus attacks, currently due to network virus attacks account for all attacks. The proportion is increasing, and the synergy of IDS and antiviral systems is becoming more and more important. 4. IDS and honeypots and fill unit systems are associated with some tools to supplement them as IDS. Since their functionality is similar, the seller often expresses them as IDS. However, in fact, the functions of these tools are quite independent, so they do not discuss them as part of the IDS. Instead, it is briefly introduced to its functions, and these tools are introduced to coordinate with IDS and jointly enhance an organizational intrusion detection capability. Honeypot: It is trying to attract attackers to konize the system from key systems. These systems are full of information that looks useful, but this information is actually fabricated, honest users are not accessible. Therefore, when an access to "honeypot" is detected, it is likely to have an attacker to break into. The monitor and event logging on the "honeypot" detects these unauthorized access and collect information about attacker activities. The purpose of "honey tank" is to bring attackers from key systems, and collect attackers' activity information, and the attacker stays on the system to respond for administrators. With this ability to use "honey tank", on the one hand, you can provide additional data for IDs. On the other hand, when IDS finds an attacker, you can introduce an attacker into a "honeypot", prevent attackers from harming, and collect attacks Information. "Fill Unit" takes another different way. "Fill Unit" does not attempt to attract attackers with the induced data, and it waits traditional IDS to detect an attacker. The attacker then seamlessly passes to a specific fill unit host. An attacker will not realize what happens, but an attacker will be in an analog environment without any injury. Similar to "honeypots", this simulation environment will make people interested in data, so that attackers believe that attacks are working according to plan. "Fill Unit" provides a unique opportunity for monitoring attackers. Conclusion Final Image Description The entire security system described herein
