What are the basic functions of an Intrusion Detection System
The basic function of an Intrusion Detection System (IDS) is to monitor network transmissions in real time, and to issue alerts or take proactive measures when suspicious transmissions are detected. It differs from other network security devices in that IDS is a proactive security technology.
In today’s network topology, it is difficult to find the former HUB-style shared media conflict domain network, the vast majority of the network area has been fully upgraded to a switched network structure. Therefore, the location of IDS in a switched network is generally chosen to be as close as possible to the source of the attack or as close as possible to the location of the protected resource.
Intrusion detection systems are divided into two modes based on the behavior of intrusion detection: anomaly detection and misuse detection. The former first to establish a model of the normal behavior of the system access, any visitor does not comply with this model will be concluded as an intrusion; the latter, on the contrary, first to all possible adverse unacceptable behavior inductively establish a model, any visitor complies with this model will be concluded as an intrusion.
Intrusion detection systems are mainly two techniques one is anomaly detection, the other is feature detection.
Anomaly detection: anomaly detection is the assumption that the intruder’s activities are abnormal to the normal subject’s activities, the establishment of normal activities, “Activity Profile”, when the current subject’s activities in violation of its statistical laws, that may be “invasive” behavior. This is accomplished by detecting changes in the behavior or usage of the system.
How to Build an Intrusion Detection System
Nowadays, network administrators expect intrusion detection systems (IDS) and intrusion prevention systems (IPS) to also detect web application attacks, including sensing anomalies. This article will help you understand IDS and IPS, and how to integrate them for perfect protection.
IDSvsIPSThe hardest part of choosing an IDS or IPS is understanding when you need it and what features it has. With all the firewalls, application firewalls, unified threat management appliances, IDSs, and IPSs on the market, it can be difficult to differentiate between the features of these products and understand which one offers the best of certain features. Some organizations have deployed IPS and found that they can remove the original IDS, and you may be considering whether to replace your IDS with an IPS, but that doesn’t apply to everyone.
Preventing Application Attack Threats with Network IPSApplications are increasingly becoming the entry point for attack threats. For example, e-commerce applications that are very vulnerable to attack. Unfortunately, traditional IDS and IPS cannot protect organizations from such attacks. The good news is that vendors now have application-oriented IDSs and IPSs. For example, Web application firewalls, which use anomalies and tagging techniques to detect frequent attack techniques. This newer IPS can make up for the shortcomings of traditional systems.
Installing Configuring and Tuning Network Intrusion PreventionInstalling and configuring anomaly-based intrusion prevention devices is more complex than marker-based devices. Anomaly-based devices detect and prevent zero-day attacks by detecting unusual network activity. Installing and configuring a system that recognizes unknown activity requires knowledge of the expected activity. But monitoring the network for just a few hours is not enough. To avoid false positives, the system must recognize different activities that occur throughout the day and over the course of a month.
Unlike other security devices, IDS/IPS require maintenance and adjustments after installation and configuration. the algorithms of IDS and IPS are completely different, so it is necessary to make timely adjustments to minimize false positives and missed alarms.
Unified InfrastructureEnterprises that consolidate multiple defenses are also constrained by data center and energy costs, and if you’ve run into this, you may want to unify your network infrastructure security strategy. Vendors will adapt their offerings from putting multi-vendor software in open racks to integrating network infrastructure security policies, which can reduce management and energy expenses by reducing the number of physical security devices in the data center.
Intrusion detection concepts, process analysis and deployment
1, the basic concept of intrusion detection
Intrusion detection is “an attempt to detect a break-in or break-in to a system by manipulating behavioral, security logs or auditing data, or other information available on the network” (see GB/T18336). Intrusion detection is the discipline of detecting and responding to computer misuse, and its roles include deterrence, detection, response, damage situation assessment, attack prediction, and prosecution support. Intrusion detection technology is designed and configured to ensure the security of computer systems and a timely detection and reporting of unauthorized or anomalous phenomena in the system is a technology used to detect the violation of security policies in the computer network line 募际酢=腥肭旨觳獾娜砑胗布 淖楹媳闶侨肭旨觳觳箄low often ntrusionDetectionSystem(IDS).
2, the history of the development of intrusion detection systems
In 1980 JamesP.Anderson, in a technical report entitled “Computer Security Threat Monitoring and Surveillance” written for a confidential client, pointed out that audit logs can be used to identify computer misuse, and he categorized the threat, the first detailed The concept of intrusion detection was first detailed.From 1984 to 1986 Dorothy Denning of Georgetown University and Peter Neumann of SRI’s Computer Science Laboratory developed a real-time intrusion detection system model, IDES (IntrusionDetectionExpertSystems Intrusion Detection Expert System ), the first system to utilize both statistical and rule-based techniques in a single application, and one of the most influential in intrusion detection research.In 1989, Todd Heberlein of the University of California, Davis, wrote a paper, “ANetworkSecurityMonitor,” which was used to capture TCP/IP packets and for the first time Network intrusion detection was born when network streams were used directly as a source of audit data, thus making it possible to monitor heterogeneous hosts without converting the audit data into a uniform format.
3, the system model
In order to solve the interoperability between intrusion detection systems, a number of international research organizations to carry out standardization work, the current standardization of IDS there are two organizations: IETF IntrusionDetectionWorkingGroup (IDWG) and CommonIntrusionDetectionWorkingGroup (IDWG). ) and the CommonIntrusionDetectionFramework (CIDF).The CIDF was earlier sponsored by the U.S. Department of Defense’s Advanced Research Projects Agency for research, and is now run by the CIDF Working Group, which is an open organization.
The CIDF articulates a generic model for an intrusion detection system (IDS). It divides an IDS into the following components: Eventgenerators, represented by the E box; Eventanalyzers, represented by the A box; Responseunits, represented by the R box; and Eventdatabases, represented by the D box.
4. Classification 4.1 Divided according to the type of detection
Technologically, there are two detection models for intrusion detection:
(1) AnomalyDetection: detection of deviations from acceptable behavior. If every acceptable behavior can be defined, then every unacceptable behavior should be intrusion. The characteristics that normal operation should have (user profile) are first summarized, and user activities are considered as intrusions when they deviate significantly from normal behavior. This detection model has low leakage rate and high false alarm rate. It is effective in detecting unknown intrusions because there is no need to define each intrusion behavior.
(2) MisuseDetection model: detects the degree of match with known unacceptable behaviors. If all unacceptable behaviors can be defined, then every behavior that can be matched will cause an alert. Behavioral features of abnormal operations are collected to build a library of related features, and when a monitored user or system behavior matches a record in the library, the system considers the behavior as an intrusion. This detection model has a low false alarm rate and a high miss rate. It can report the type of attack in detail and accurately for known attacks, but has limited effectiveness for unknown attacks, and the feature library must be constantly updated.
4.2 Divided according to the detection object
Host-based: The data analyzed by the system are computer operating system event logs, application program event logs, system calls, port calls, and security audit records. Host-based intrusion detection system to protect the host system is generally located. It is implemented by agents (agent), which are small executable programs running on the target host that communicate with a command console (console).
Network-based: the data analyzed by the system are packets on the network. Network-based intrusion detection systems are tasked with protecting an entire network segment. Network-based intrusion detection systems consist of sensors throughout the network, which is a computer that puts the Ethernet card in promiscuous mode to sniff packets on the network.
Hybrid: Both network-based and host-based intrusion detection systems have shortcomings that can result in an incomplete defense system, a combination of network-based and host-based hybrid intrusion detection systems can find both attack information in the network, but also from the system logs to find anomalies.
5, intrusion detection process analysis
The process is divided into three parts: information collection, information analysis and results processing.
(1) information collection: the first step in intrusion detection is information collection, the collection includes the state and behavior of the system, network, data and user activities. Information is collected by sensors placed on different network segments or agents on different hosts, including system and network log files, network traffic, unusual directory and file changes, and unusual program execution.
(2) Information analysis: Information collected about the state and behavior of the system, network, data, and user activities is sent to the detection engine, which resides in the sensors and generally analyzes it by three technical means: pattern matching, statistical analysis, and integrity analysis. When a certain misuse pattern is detected, an alert is generated and sent to the console.
(3) Result Processing: The console generates a pre-defined response in accordance with the alarm to take appropriate measures, which can be reconfiguring a router or firewall, terminating a process, cutting off a connection, changing a file attribute, or just a simple alarm.
6, IDS deployment example
ISS (Internet Security Systems) RealSecure deployment diagram, RealSecure is a hybrid intrusion detection system that provides network-based and host-based real-time intrusion detection. Its console runs on Windows 2000.RealSecure’s sensors are autonomous and can be controlled by many consoles. The functions of each part are as follows:
(1) ReaISecure console: management of multiple networked sensors and server agents; configuration and control of managed sensors remotely; real-time reporting of security events detected by individual monitors to the console.
(2) Network Sensor (network engine): listen to the network and automatically respond to suspicious behavior, the degree of protection of network security; running on a specific host, listening to and parsing of all network information, and timely discovery of packets with attack characteristics; detection of the local network segments, to find each packet of hidden malicious intrusion, and timely response to the discovered intrusion. The network engine can detect the local network segments, find the hidden malicious intrusions in each packet, and make timely response to the discovered intrusions. When an attack is detected, the network engine can instantly respond with alerts/notifications (alerting the console, e-mailing security administrators, SNMPtrap, viewing real-time sessions, and notifying other consoles), recording the scene (logging the event and the entire session), and taking security response actions (terminating the intrusion connection, adjusting the configuration of the network device such as firewalls, and executing user-specific response programs).
(3) Server Sensor (server agent, installed on individual servers): real-time intrusion detection of core-level events, system logs, and network activity on hosts; packet interception, intelligent alerting, and blocking of communications to proactively stop intrusions before they reach the operating system or application; and automated reconfiguration of network engine and select firewalls to block further hacker attacks.
7, the development trend
Improvements to the analysis technology: the use of current analysis techniques and models will produce a large number of false alarms and omissions, it is difficult to determine the real intrusion behavior. With new analysis techniques such as protocol analysis and behavioral analysis, detection efficiency and accuracy can be greatly improved to respond to real attacks. Protocol analysis is currently the most advanced detection technology, through the structured protocol analysis of packets to identify intrusion attempts and behavior, this technology is more efficient than pattern matching detection, and can identify some unknown attack characteristics, with a certain degree of immunity; behavioral analysis technology is not only simple to analyze a single attack, but also based on the events that occur before and after to confirm whether there is indeed an attack occurred, the attack behavior Whether effective, is the trend of the development of intrusion detection technology.
Enhance the ability to handle large amounts of network traffic: With the continuous growth of network traffic, the data obtained in real time to analyze the difficulty of increasing, which leads to the location of the intrusion detection system is more and more demanding. Intrusion detection products can efficiently process data in the network is an important basis for measuring intrusion detection products.
To a high degree of integrability: integrated network monitoring and network management functions. Intrusion detection can detect packets in the network, when a device is found to be a problem, the device can be immediately managed accordingly. Future intrusion detection system will be combined with other network management software, the formation of intrusion detection, network management, network monitoring tools.