Network Security Lecture 6 Intrusion Detection System

Network Information Security Lecture 6 Intrusion Detection System

A definition of intrusion detection

1. Intrusion : Refers to a series of actions that attempt to destroy the confidentiality , integrity and availability of information resources . Unauthorized access to the information system and/or unauthorized operation in the information system.
2. Intrusion detection : It collects information from several key nodes in the computer network system and analyzes the information to monitor whether there are violations of security policies or intrusions in the network. It is the identification of malicious behaviors directed to computing and network resources And response process.
3. Intrusion Detection System (IDS) : By monitoring the status and activities of the protected system, the intrusion detection system uses anomaly detection or abuse detection to detect unauthorized or malicious systems and network behaviors, and provides effective means to prevent intrusion behaviors. It is an important part of a complete network security system. The combination of intrusion detection software and hardware is a reasonable supplement to the firewall and the second security gate behind the firewall.
4. Intrusion detection content :
   

Two typical IDS technology

• IDS origin and development : audit technology: the process of generating, recording and checking system event records arranged in chronological order, usually in the form of audit logs.

• Audit goal

  1. Determine and maintain the responsibilities of everyone in the system activities

  2. Reconstruction event

  3. Assess the loss

  4. Problem area of ​​the monitoring system

  5. Provide effective disaster recovery

  6. Prevent improper use of the system

• Intrusion detection process : information collection, information analysis, result processing

1. collect message

2. Information analysis

• Pattern matching: It is to compare the collected information with a database of known network intrusion and system misuse patterns, so as to discover behaviors that violate security policies.
• Statistical analysis: First, create a statistical description for system objects (such as users, files, directories, and devices) , and count some measurement attributes (such as access times, operation failure times, and delays) during normal use. The average value of the measured attributes will be used to compare with the behavior of the network and the system. Any observed value outside the normal range is considered as an intrusion.
• Integrity analysis is often used for post-mortem analysis: Integrity analysis mainly focuses on whether a file or object has been changed . This often includes the contents and attributes of files and directories. It is particularly useful for discovering changed applications and installed Trojan horses. effective.

3. Incident response (result processing):

Three intrusion detection system classification

• Host-based intrusion detection system, network-based intrusion detection system, distributed intrusion detection system

1. Host-based intrusion detection system (Host-based IDS, HIDS)

• The host-based intrusion detection system is usually installed on the protected host. The real-time network connection of the host and the system audit log are analyzed and checked. When suspicious behavior and security violations are found, the system will alert the administrator. In order to take measures. These protected hosts can be key host devices such as Web servers, mail servers, and DNS servers .
• The data source of the host : operating system event log, application log system log, relational database, web server.
• Detection content : system call, port call, system log, security audit, application log.
• Advantages of HIDS : high detection accuracy . HIDS detects user and system activities, and is more suitable for detecting internal user attacks or unauthorized behavior. Not affected by encryption and switching equipment . HIDS only pays attention to events that occur on the host itself, and does not care about network events outside the host, so the detection performance is not affected by data encryption, tunnels and switching equipment. Not affected by network traffic . HIDS does not collect network data packets, and will not lose monitoring of system behavior due to the increase in network traffic, so its detection performance has nothing to do with network traffic.
• Disadvantages of HIDS: When HIDS is installed on a host that needs to be protected, it will inevitably occupy host system resources, and the additional load will reduce the efficiency of the application system. HIDS completely relies on the inherent audit mechanism of the operating system, so it must be tightly integrated with the operating system, resulting in poor platform portability. The robustness of HIDS itself is also restricted by the security of the host operating system. HIDS can only detect attacks against this machine, but cannot detect attacks based on network protocols.

2. Network-based intrusion detection system (NIDS): installed in the network segment that needs to be protected , real-time monitoring of various data packets transmitted in the network segment , and analysis and detection of these data packets. If an intrusion or suspicious event is found, the intrusion detection system will issue an alarm or even cut off the network connection.

• Network monitoring : In a shared network, being able to listen to all traffic is a double-edged sword. The administrator can be used to monitor network traffic conditions. Programmers who develop network applications can monitor the network conditions of the program. Hackers can be used to spy on network intelligence.
• The advantage of NIDS : fast detection and response speed . NIDS can detect attacks and suspicious intentions before a successful intrusion, and can execute a rapid response to terminate the attack process before the target is destroyed. The intrusion monitoring range is large . Since each network sensor can collect all data packets in the shared network segment, one network sensor can protect one network segment. Therefore, only by installing network sensors on the critical path of the network, the entire network communication can be monitored. Intrusion forensics is reliable . NIDS collects intrusion evidence by capturing data packets, and the attacker cannot transfer the evidence. Able to detect protocol vulnerability attacks . Many attack programs are written based on network protocol vulnerabilities, such as SYN flood (SYN flood), Smurf attack, and teardrop attack (teardrop), which can only be identified by looking at the packet header or payload.

3. Distributed Intrusion Detection System (DIDS): The complexity and large-scale network system structure makes: the weaknesses or vulnerabilities of the system are scattered on the various hosts in the network, these weaknesses may be used by intruders to attack the network, and only rely on It is difficult for an intrusion detection system of a host or network to detect intrusions. Intrusion behavior is no longer a single behavior, but exhibits the characteristics of cooperative intrusion, such as distributed denial of service attacks. The decentralization of data sources that intrusion detection relies on makes it more difficult to collect original detection data.

• The goal of Distributed Intrusion Detection System (DIDS) is to detect both network intrusion behavior and host intrusion behavior.
• Location of detector:

• The problems faced by network-based technologies : In some network environments that use switching technologies, the switching mechanism prevents network messages from being arbitrarily broadcast in the subnet, but only in the set virtual network (VLAN), which makes The host performing network monitoring can only extract the data in the virtual network, the monitoring range is greatly reduced , and the monitoring capability is also weakened.

Four intrusion detection methods

1. Misuse Detection

• Abuse detection is also called misuse detection or feature-based detection. This method first directly characterizes the intrusion behavior and establishes a certain or a certain type of intrusion characteristic behavior pattern. If the current behavior is found to be consistent with a certain intrusion pattern, it means that such an intrusion has occurred.
• Abuse detection features:

2. Anomaly Detection

• Basic idea: The normal behavior of any person has certain rules, and some rules can be summarized by analyzing the log information generated by these behaviors (assuming that the log information is sufficiently complete), and intrusion and abuse are usually compared with normal behavior Large differences, intrusion can be detected by checking these differences.
• Main method: Establish a set of rules for normal behavior, called normal behavior pattern, also known as normal profile, also known as "user profile". When user activity deviates greatly from the normal profile, it is considered abnormal Or intrusive behavior. In this way, illegal intrusions can be detected even through unknown attack methods. In addition, abnormal user behaviors that are not intrusive (abusing one's own authority) can also be detected.
• Anomaly detection features:
  

• Some methods used in anomaly detection:

1. Statistical anomaly detection

2. Anomaly detection based on feature selection

3. Anomaly detection based on Bayesian inference

4. Based on Bayesian network anomaly detection

5. Anomaly detection based on pattern prediction

6. Anomaly detection based on neural network

7. Anomaly detection based on Bayesian clustering

8. Anomaly detection based on machine learning

9. Anomaly detection based on data mining

• Comparison of two ways

• The development direction of intrusion detection :

1. industry:

The main research content is how to improve the comprehensive performance and processing speed of the intrusion detection system by optimizing the algorithm of the detection system to meet the requirements of the gigabit network.

2. academia:

Mainly through the introduction of various intelligent computing methods, the intrusion detection technology is developed towards the direction of intelligence. Artificial neural network technology, artificial immune technology, data mining technology

• Limitations of intrusion detection systems :

1. The contradiction between false positives and false negatives

2. The conflict between privacy and security

3. The contradiction between passive analysis and active discovery

4. The contradiction between massive information and analysis cost

5. The contradiction between functionality and manageability

6. The contradiction between a single product and complex network applications

Five network intrusion detection system products

• Snort is the most popular free NIDS. Snort is an IDS based on abuse/anomaly detection, using the definition of rules to check for problematic packets in the network. Snort consists of the following parts: packet sniffer, preprocessor, detection engine, and alarm output module.
• RealSecure : In 1996, RealSecure was first developed as a traditional sensor-based network intrusion detection system, and in 1998 it became a hybrid intrusion detection system. Efforts are being made to provide a hybrid OS log and network packet performance, designed to be placed below and above the IP layer of the protocol stack. Multiple response methods

Alarm output module.

• RealSecure : In 1996, RealSecure was first developed as a traditional sensor-based network intrusion detection system, and in 1998 it became a hybrid intrusion detection system. Efforts are being made to provide a hybrid OS log and network packet performance, designed to be placed below and above the IP layer of the protocol stack. Multiple response methods

• Network ICE