Introduction
IDS is a computer monitoring system, which makes a warning once the abnormal situation is found. Differences in different and detection methods of information sources are divided into several categories: depending on the information source can be divided into host IDs and network-based IDs, depending on the detection method, it can be divided into exception intrusion detection and misuse intrusion detection. Unlike the firewall, the IDS intrusion detection system is a listener device. It is not necessary to flow on any link. No need to flow through it. Therefore, the deployment of IDS is: IDS should be attached to the link that must be flowed through all of the traffic. Here, "Follow Flow" refers to a network message from the accessed network area and needs to be statistically and monitored. In today's network topology, it is difficult to find a network of the previous HUB shared media conflict domain, and most of the network areas have been fully upgraded to the swap network structure. Therefore, the location of IDS in a switched network is generally selected as close as possible to the attack source or as close as possible to the protected resource. These locations are usually: on the switch of the server area; the Internet is connected to the first switch after the router; the focus on the local area network switch of the network segment. Since the market of intrusion detection systems has developed rapidly in recent years, many companies have invested in this area. Venustech, Internet Security System (ISS), Cisco, Symantec, etc. have launched their own products.
System Composition
IETF divides an intrusion detection system into four components:
event generator (Event Generat ", its purpose is from the entire calculation The event is obtained in the environment and this event is provided to other parts of the system.
Event Analyzers, it has been analyzed and produces an analysis result.
Response unit, it is a functional unit that responds to the analysis results, which can make a cut-off connection, change the file attribute, etc., can also be just a simple alarm. The
event database is a collective name of various intermediate and final data, which can be a complex database or a simple text file.
System Defects
In February 1998, Secure Networks Inc. pointed out that IDS has many weaknesses, mainly: IDS's detection of data; protection against IDS itself. Due to the rapid development of the contemporary network, the network transmission rate is greatly accelerated, which has caused a lot of IDS work, which means that IDS is not high in the reliability of attack activity. When IDS responds to its own attack, the testing of other transmission will also be suppressed. At the same time, due to the imperfectness of pattern identification technology, the high default alarm of IDS is also a major problem.
Security Policy
intrusion detection system is divided into two modes according to the behavior of intrusion detection: abnormal detection and misuse detection. The former must build a model of a system access normal behavior. Anyone who visitors does not meet this model will be concluded as invading; the latter is the opposite, first to summarize all unfavorable unacceptable behaviors to establish a model. Anyone who visited this model will be concluded as an intrusion.
The security strategy of both modes is completely different, and they have their own strengths and shortcomings: the leakage rate of abnormal detection is very low, but the behavior that does not meet the normal behavior mode is not necessarily malicious. Attack, therefore this strategy false positive is high; misuse detection is low due to the unacceptable behavior of abnormality directly matching the abnormality. However, malicious behavior has changed, which may not be collected in the behavioral mode library, so the leakage rate is very high. This requires the user to set the policy according to the features and security requirements of the system, and select behavioral detection mode. Now the user takes two strategies combined.
Communication Protocol
The internal components within the IDS system requires communication, and communication between the IDS systems of different vendors. Therefore, it is necessary to define a unified protocol. IETF currently has a dedicated group Intrusion Detection Working Group (IDWG) is responsible for defining this communication format, called Intrusion Detection Exchange Format (IDEF), but there is no uniform standard. The following problems should be considered when designing the communication protocol: the information transmitted between the system and the control system is very important, so the authenticity and integrity of the data must be maintained. There must be a certain mechanism to communicate both parties authentication and confidentiality (while preventing active and passive attacks); communication between communications may cause communication interruption due to abnormal conditions, and IDS systems must have additional measures to ensure that the system is working properly.
Detection Technology
analyzes various events, and discovers the behavior of violating security policies is the core function of the intrusion detection system. From a technical, intrusion detection is divided into two categories: a sign based on Signature-based, another anomaly-based (ANOMALY-BASED).
For flag-based detection techniques, first define features that violate the events of security policies, such as certain headers of network packets. Detection is mainly determined whether such features appear in the collected data. This method is very similar to anti-virus software.
and abnormal detection technology is the first set of "normal" cases, such as CPU utilization, memory utilization, file checksum, etc. (such data can be defined, It can be signs that the attack is derived by observing the system and using statistical approach) and then the value of the system is compared to the defined "normal" situation. The core of this detection method is how to define the so-called "normal" situation.
The process of two detection techniques has a very large difference. The core of the logo-based detection technology is to maintain a knowledge base. For known attacks, it can detail, accurately report the type of attack, but the unknown attack is limited, and the knowledge base must be continuously updated. Abnormal detection techniques cannot accurately determine the way of attacking, but it can be (at least in theory) to discriminate more boost, and even unconscious attacks.
Detection method
Abnormal detection method
In an abnormal intrusion detection system, the following detection methods are often used:
Based on Bayesian Reasoning Detection : It is an intrusion event that is determined by the system by measuring the variable value, the measurement system is determined by any given time.
Based on the feature selection detection method: refers to the measurement of the invasion from a set of measures, use it to predict or classify the intrusion behavior.
Based on Bayesian Network Detection : The relationship between random variables is indicated by a graphic mode. The joint probability distribution of the random variable is calculated by specifying a small probability set related to the adjacent node. Combine all nodes in a given all node, the prior probability of all root nodes and non-root probability make this set. The Bayesian network is a directional view, the arc indicates the dependence between the parent and child nodes. When the value of a random variable is known, it allows it to absorb it as evidence, and the calculation framework is provided for other remaining random variable condition values.
The detection method based on mode prediction : The event sequence is not randomly occurring but follows some distinguishable mode is a hypothetical condition based on mode prediction. It is the event sequence and interconnection to be considered, and only the minority related security event is the biggest advantage of the detection method.
Based on statistical abnormal detection method : It is established a feature profile table based on the activity of the user object, and compares the current characteristics with the previously established features. To determine the abnormalities of the current behavior. User feature contour tables are constantly updated based on auditing records, protecting the multi-measure indicator, which is obtained according to the statistics of the experience or for a period of time.
Based on machine learning test method : It is based on discrete data temporary sequences to obtain network, system, and individual behavioral characteristics, and proposes an instance learning method IBL, IBL is based on similar Degree, the method converts the original data (such as discrete event streams and disorderly records) through the new sequence similarity to a measurable space. Then, IBL learning techniques and a new sequence-based classification method are found to detect an invasion behavior. Among them, the probability of the members classification is determined by the selection of the threshold.
Data Mining Detection : The purpose of data mining is to extract useful data information from massive data. There is a large number of audit records in the network, and most of the audit records are stored in the form of file. If the abnormality in the record is discovered by the manual method, it is not enough to apply data mining technology to intrusion detection, and useful knowledge can be extracted from audit data, and then use these knowledge area to detect abnormal invasion and known known. Intrusion. The method adopted has a KDD algorithm. It has the advantage of being good at handling a lot of data and the ability of data association analysis, but is poor in real time.
Application mode based exception detection method : This method is based on service request type, service request length, service request packet size distribution calculation network service's exception value. Abnormal behavior is found by comparing the abnormal values of real-time calculations and the training thresholds.
Abnormal detection method based on text classification : This method is to convert the system generated to "document". The similarity of the document is calculated using the K adjacent cluster text classification algorithm.
misuse detection method
Commonly used in intrusion detection system:
pattern matching method : is often It is used in intrusion detection techniques. It is discovered by comparing the collected information to the known information in the network intrusion and system misuse mode database, thereby discovering violations of security policies. Mode matching method can significantly reduce system burden, high detection rate and accuracy.
Expert System Law : This method is the way to express security experts as a rules of knowledge base, and then use the reasoning algorithm to detect invasion. Mainly for intrusion behaviors for features.
Detection method based on state transition analysis : The basic idea of this method is to see the attack as a continuous, subtle process and a certain relationship between each step. . The intrusion behavior is blocked in time during the network, prevents similar attack behaviors that may also occur. In the state transition analysis method, an infiltration process can be seen as a series of behaviors made by an attacker, resulting in a state of the system from a certain initial state to the final harmful state.