Functions of intrusion detection system are
Monitoring and analyzing the activities of users and systems; auditing of system configuration and vulnerabilities, etc. According to the content of the introduction to the intrusion detection system, we know that the main functions of the intrusion detection system are: monitoring and analyzing the activities of the user and the system; verifying the system configuration and vulnerabilities; evaluating the integrity of the system’s key resources and data files and so on. Intrusion detection systems are designed to secure computer systems.
What is the scope of application of intrusion monitoring and identification system?
Intrusion detection is a logical complement to firewalls to help systems deal with network attacks, extends the security management capabilities of system administrators (including security auditing, monitoring, attack identification and response), and improves the integrity of the information security infrastructure. It collects information from a number of critical points in a computer network system and analyzes that information to see if there are violations of security policies and signs of attacks in the network. Intrusion detection is considered as the second security gate after the firewall and provides real-time protection against internal attacks, external attacks and misuse by being able to monitor the network without affecting its performance. These are achieved through its ability to perform the following tasks:
-Monitoring and analysis of user and system activity;
-Auditing of system constructs and vulnerabilities;
-Identification of patterns of activity reflecting known offenses and alerts to the appropriate people;
-Statistical analysis of anomalous behavioral patterns;
-Assessment of the integrity of critical system and data files;
-Audit trail management of operating systems and identification of user violations of security policies.
For a successful intrusion detection system, it not only keeps system administrators informed of any changes to the network system (including programs, files, hardware devices, etc.), but also provides a guide to the development of network security policies. More importantly, it should be simple to manage and configure, making network security very accessible to non-specialists. Moreover, the size of intrusion detection should also change according to changes in network threats, system configuration and security requirements. The intrusion detection system will respond promptly after detecting an intrusion, including disconnecting the network, logging the event and alerting the police. Information Collection The first step in intrusion detection is information collection, which includes the status and behavior of the system, network, data and user activities. Moreover, the need to collect information at a number of different key points in the computer network system (different network segments and different hosts), which, in addition to expanding the scope of detection as much as possible, there is also an important factor is that the information from a source may not be able to see the suspicion, but the inconsistency of the information from several sources is the best identification of suspicious behavior or intrusion.
Of course, intrusion detection relies heavily on the reliability and correctness of the information collected, so it is essential to report this information using only software that is known to be genuine and accurate. This is because hackers often replace software to confuse and remove this information, such as replacing subroutines, libraries, and other tools that are called by the program. Hacker modifications to a system can make the system malfunction and appear to be normal when it is not. For example, a PS instruction on a unix system can be replaced with one that does not show the intrusion process, or an editor can be replaced with one that reads a different file than the one specified (the hacker hides the initial test file and replaces it with another version). This requires ensuring the integrity of the software used to detect the network system, and in particular, the intrusion detection system software itself should be fairly robust to prevent tampering and gathering incorrect information.
The information utilized for intrusion detection generally comes from the following four sources:
1. System and Network Log Files
Hackers often leave their traces in system log files, so making full use of the information in system and network log files is essential for detecting intrusions. Logs contain evidence of unusual and undesired activity occurring on systems and networks that can point to the fact that someone is in the process of intruding or has successfully intruded on a system. By reviewing the log files, successful intrusions or intrusion attempts can be detected and the appropriate emergency response procedures can be quickly initiated. Log files recorded in the various types of behavior, each type contains different information, such as recording “user activity” type of logs, including login, user ID changes, user access to files, authorization and authentication information. Obviously, abnormal or undesired behavior for user activity is repeated failed logins, logins to undesired locations, and unauthorized attempts to access important files.
2. Undesired changes in directories and files
File systems in network environments contain a lot of software and data files, and files containing important information and private data files are often targeted for modification or destruction by hackers. Unexpected changes (including modifications, creations, and deletions) in directories and files, especially those to which access is normally restricted, are likely indications and signals that an intrusion has occurred. Hackers routinely replace, modify, and destroy files on systems to which they have gained access, all the while doing their best to replace system programs or modify system log files in order to hide traces of their performance and activities on the system.
3. Unexpected Behavior in Program Execution
Program execution on a networked system generally consists of the operating system, network services, user-initiated programs, and purpose-built applications, such as database servers. Each program executing on a system is implemented by one to more processes. Each process executes in an environment with different privileges that control the system resources, programs, data files, etc. that the process can access. The execution behavior of a process is expressed by the operations it performs at runtime; operations are performed in different ways and utilize different system resources. Operations include computation, file transfers, devices and other processes, and communication with other processes across the network.
The presence of undesired behavior by a process may indicate that a hacker is breaking into your system.
Safety production hazardous area intrusion monitoring system can realize those functions?
Information Security Engineer Knowledge: Intrusion Detection System’s Main Functions Summary
The main functions of an intrusion detection system can be summarized as:
-Monitoring and analyzing the activities of the users and the system to find out the illegal users and the overstepping of the rights of the legitimate users;
-Detecting the correctness of the system configurations and the security holes and prompting the administrators to fix the leaks;
– Performs statistical analysis of abnormal user activities to find patterns of intrusion behavior;
-Checks the consistency and correctness of system programs and data, such as calculating and comparing file system checksums;
. Ability to respond to detected intrusions in real time;
– Audit trail management of the operating system.
The basic assumption of intrusion detection is that the behavior of users and programs can be collected, e.g., through system auditing mechanisms. More importantly normal behavior is significantly different from abnormal behavior. Therefore, an intrusion detection system contains the following essential elements:
-Resources in the target system that need to be protected. For example: network services, user accounts, system cores, etc.
-Models that flag “normal” and “legitimate” behaviors associated with these resources;
-Techniques for comparing the differences between the models that have been created and the behaviors that have been collected. Behaviors that differ from “normal” behavior are considered “intrusions”.
A qualified intrusion detection system can greatly simplify the work of administrators, making it easier for them to monitor and audit networks and computer systems, expanding their security management capabilities, and thus ensuring the safe operation of networks and computer systems.
What role does intrusion detection play?
What role does intrusion detection play?
The Statistical Report on the Development of the Internet in China released by CNNIC shows that there are now tens of millions of Internet users in China. Therefore, more and more companies will shift their core business to the Internet, services become another growth point of the current IT industry, but network security as an unavoidable problem presented in front of people. With the popularization of computer network knowledge, more and more attackers, knowledge is becoming more mature, the attack tools and techniques are becoming more complex and diverse, simple firewall strategy has not been able to meet the highly sensitive to the needs of the security sector, the network’s defense must be used in a deep, diverse means. Network environment has also become increasingly complex, a variety of complex equipment, the need for continuous upgrading, patch the system makes the network administrator’s work constantly aggravated, inadvertent negligence may result in major security risks. Thus, the intrusion detection system has become a new hot spot in the security market, not only more and more attention from people, and has begun to play its key role in a variety of different environments.
Intrusion Detection Systems (IDS)
Since the market for intrusion detection systems has grown by leaps and bounds in recent years, a number of companies have invested in the field. companies such as InterSecuritySystem (ISS), Cisco, Symantec and many others have launched their own products.
The IETF divides an intrusion detection system into four components: event generators; event analyzers; response units; event databases. .
The purpose of an event generator is to obtain an event from the entire computing environment and make this event available to the rest of the system. The event analyzer analyzes the obtained data and produces analysis results. The response unit is a functional unit that reacts to the results of the analysis. It can react strongly to cut off connections, change file attributes, or simply raise an alarm. Event database is the place to store a variety of intermediate and final data collectively, it can be a complex database, can also be a simple text file.