Net Security Note 15 Intrusion Detection IDS

Language 2023-06-18 20:18:42 views: null

1 Overview of Intrusion Detection

Intrusion detection:
collect and analyze information at several key points of the network/system, find out whether the network/system violates security policies/has been attacked and make corresponding responses

IDS intrusion detection system
uses *~~~~ technology* to monitor the network and system, and make actions according to the monitoring to reduce the harm of intrusion

process

  1. collect message
  2. data processing
  3. data analysis
  4. Security Policy Responds

Unauthorized access can generally be prevented with a firewall/authentication system.
IDS is to warn computers of unauthorized access at appropriate locations, or to deny some intruders. no access control capability

  • Network Investigator/Detection and Early Warning
  • Alarm/record behavior when attacking, early warning function
  • Multi-purpose bypass listening mechanism
  • Complementary to other systems, reducing losses

Guaranteed
Dt + RT < pT Dt+RT < pTDt+RT<pT
detection + response < protection time

basic structure

CIDF: The data required for intrusion detection is called an event

  1. Event generator - collect, monitor and save data, save in 4
  2. Event Analyzer - find dangerous event data and notify 3
  3. Response unit - Intercept blocking anti-tracking protection
  4. event database

CISL: Data exchange between different functional units

2 IDS classification

from data source

  1. host based
  2. web-based
  3. Kernel-based
  4. application based

the host

Data source:
system catalog, APP catalog and other audit record files , generating attack signatures

  • Ensure audit data is not altered
  • real-time
    • The system modifies the audit data signature in the attacker to complete the analysis, alarm and response

Continue to classify by detection object

  1. Network Connections: Data Entering the Host
  2. Host files: log, sys, process

advantage

  • Determine if the attack was successful
  • Suitable encryption/exchange environment
    • Because the network-based IDS uses the data exchange packet bit data source
    • Encrypted data must be decrypted before being sent to the host. For networks, the traffic is hard to handle
  • near real time
  • No additional hardware required
  • Specific Behavior Monitoring ~~ System Files/Executable Files
  • For different OS

insufficient

  • Poor real-time performance
  • Accounting for resources
  • The effect depends on the log
  • Unable to detect all packages
  • covert penetration

network

Raw network packets are used as the data source. It uses network adapters to monitor and analyze in real time

executable

  1. port scan
  2. identify attack
  3. Seven articles on identifying IP
  4. Can interfere with communication, configure firewall

Advantage

  • It is difficult for attackers to transfer traces: because the audit log of the host's IDS will be modified
  • real time
  • OS independent
  • low cost
  • Detect attempted attacks

Corresponding to the previous
real-time, multiple at the same time, concealment, protection of intrusion evidence, does not affect the host

insufficient

  • anti-intrusion cross
  • Difficult to configure
  • hardware limitation
  • cannot handle encrypted data

kernel

openwall linux
prevents buffer overflow, increases file system protection, and closes signals

distributed

host + network

3. Analysis method

  • abnormal detection
  • misuse detection

Anomaly Detection Technology - Behavior Based

Premise: All intrusion behaviors are abnormal and
normal behavior characteristic contours are used to judge whether an intrusion behavior has occurred. indirect

  1. selected feature
  2. Threshold
    1. Missing alarm
    2. false alarm
  3. Select comparison frequency

advantage

  • New intrusion methods detected
  • less dependent on the OS
  • Strong internal detection ability

lack

  • false positive
  • Difficult to model
  • Difficult to classify naming behavior

method

  1. Statistical Analysis
    1. average value
    2. weighted sum of squares
      1. Mature, but the threshold is difficult to determine, and the order is not sensitive
  2. bayesian
  3. Neural Networks
    1. No data statistical assumptions are required to deal with randomness and interference data
    2. Difficult to determine the weight
  4. Pattern prediction, order of consideration, linkage. follow a recognizable pattern
    1. handle various behaviors
    2. False detection of unrecognized patterns
  5. data ruling
    1. Data processing
    2. low efficiency
  6. machine learning

Misuse Detection Techniques - Knowledge Based

Premise: intrusion can be identified , direct method

  • precise
  • Mature
  • Convenient for sys protection

shortcoming

  • New intrusions cannot be detected
  • Dependent data features are valid
  • Maintenance library workload is heavy
  • Difficult to detect internal

method

  1. expert system
    1. The speed and accuracy need to be improved, and the workload of maintaining the library is heavy
  2. Characteristics
    1. No conversion, no processing of large amounts of data, just use the intrusion directly
  3. inference model
    1. Mathematically based, reducing the amount of data to process
    2. increase model overhead
  4. Conditional Probability
  5. keyboard monitoring
abnormal misuse
configuration High difficulty. to summarize normal behavior
result more data List type/name/processing suggestions

others

Genetic Algorithm, Immune Technology

4 settings

  1. determine needs
  2. design topology
  3. configuration system
  4. Run-in debugging
  5. use

3, 4 Backtracking multiple times to reduce false positives and false negatives

5 deployment

Network-based IDS

  1. DMZ
    1. Detect all attacks against servers that provide services to users
    2. Detect external attacks and firewall issues
  2. Extranet entrance
    1. It can detect all the data entering and exiting the external network port of the firewall
    2. Process incoming and outgoing data
    3. but cannot locate the address
  3. Intranet backbone
    1. The network data that flows out of the intranet and flows into the intranet after being filtered by the firewall
    2. Know the source and destination address
    3. Detect the intranet to improve the efficiency of attack detection
  4. key subnet
    1. Detects all abnormal network behavior from internal as well as external
    2. Resource deployment is funny

based on host

Mainly installed on key hosts

To be configured according to the idle load capacity of the server itself

Alarm strategy

How to report to the police and what kind of alarm to choose

Ensure that the interactive interface is physically isolated from the target network and does not affect other

Advantages and limitations

  • analysis behavior
  • Test security status
  • generate data
  • help managers

limitations

  • It can only be discovered, it cannot be repaired/corrected nor prevented.
  • Highly loaded hosts are difficult to detect
  • Difficult to detect employee excesses based on knowledge/uselessness
  • Allergies cause denial of service attacks
  • Pure swap environment doesn't work

Secret pot technology is to build a false network and lure hackers to attack this false network, so as to achieve the purpose of protecting the real network

Guess you like

Origin blog.csdn.net/JamSlade/article/details/131207549
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com