1 Overview of Intrusion Detection
Intrusion detection:
collect and analyze information at several key points of the network/system, find out whether the network/system violates security policies/has been attacked and make corresponding responses
IDS intrusion detection system
uses *~~~~ technology* to monitor the network and system, and make actions according to the monitoring to reduce the harm of intrusion
process
- collect message
- data processing
- data analysis
- Security Policy Responds
Unauthorized access can generally be prevented with a firewall/authentication system.
IDS is to warn computers of unauthorized access at appropriate locations, or to deny some intruders. no access control capability
- Network Investigator/Detection and Early Warning
- Alarm/record behavior when attacking, early warning function
- Multi-purpose bypass listening mechanism
- Complementary to other systems, reducing losses
Guaranteed
Dt + RT < pT Dt+RT < pTDt+RT<pT
detection + response < protection time
basic structure
CIDF: The data required for intrusion detection is called an event
- Event generator - collect, monitor and save data, save in 4
- Event Analyzer - find dangerous event data and notify 3
- Response unit - Intercept blocking anti-tracking protection
- event database
CISL: Data exchange between different functional units
2 IDS classification
from data source
- host based
- web-based
- Kernel-based
- application based
the host
Data source:
system catalog, APP catalog and other audit record files , generating attack signatures
- Ensure audit data is not altered
- real-time
- The system modifies the audit data signature in the attacker to complete the analysis, alarm and response
Continue to classify by detection object
- Network Connections: Data Entering the Host
- Host files: log, sys, process
advantage
- Determine if the attack was successful
- Suitable encryption/exchange environment
- Because the network-based IDS uses the data exchange packet bit data source
- Encrypted data must be decrypted before being sent to the host. For networks, the traffic is hard to handle
- near real time
- No additional hardware required
- Specific Behavior Monitoring ~~ System Files/Executable Files
- For different OS
insufficient
- Poor real-time performance
- Accounting for resources
- The effect depends on the log
- Unable to detect all packages
- covert penetration
network
Raw network packets are used as the data source. It uses network adapters to monitor and analyze in real time
executable
- port scan
- identify attack
- Seven articles on identifying IP
- Can interfere with communication, configure firewall
Advantage
- It is difficult for attackers to transfer traces: because the audit log of the host's IDS will be modified
- real time
- OS independent
- low cost
- Detect attempted attacks
Corresponding to the previous
real-time, multiple at the same time, concealment, protection of intrusion evidence, does not affect the host
insufficient
- anti-intrusion cross
- Difficult to configure
- hardware limitation
- cannot handle encrypted data
kernel
openwall linux
prevents buffer overflow, increases file system protection, and closes signals
distributed
host + network
3. Analysis method
- abnormal detection
- misuse detection
Anomaly Detection Technology - Behavior Based
Premise: All intrusion behaviors are abnormal and
normal behavior characteristic contours are used to judge whether an intrusion behavior has occurred. indirect
- selected feature
- Threshold
- Missing alarm
- false alarm
- Select comparison frequency
advantage
- New intrusion methods detected
- less dependent on the OS
- Strong internal detection ability
lack
- false positive
- Difficult to model
- Difficult to classify naming behavior
method
- Statistical Analysis
- average value
- weighted sum of squares
- Mature, but the threshold is difficult to determine, and the order is not sensitive
- bayesian
- Neural Networks
- No data statistical assumptions are required to deal with randomness and interference data
- Difficult to determine the weight
- Pattern prediction, order of consideration, linkage. follow a recognizable pattern
- handle various behaviors
- False detection of unrecognized patterns
- data ruling
- Data processing
- low efficiency
- machine learning
Misuse Detection Techniques - Knowledge Based
Premise: intrusion can be identified , direct method
- precise
- Mature
- Convenient for sys protection
shortcoming
- New intrusions cannot be detected
- Dependent data features are valid
- Maintenance library workload is heavy
- Difficult to detect internal
method
- expert system
- The speed and accuracy need to be improved, and the workload of maintaining the library is heavy
- Characteristics
- No conversion, no processing of large amounts of data, just use the intrusion directly
- inference model
- Mathematically based, reducing the amount of data to process
- increase model overhead
- Conditional Probability
- keyboard monitoring
abnormal | misuse | |
---|---|---|
configuration | High difficulty. to summarize normal behavior | |
result | more data | List type/name/processing suggestions |
others
Genetic Algorithm, Immune Technology
4 settings
- determine needs
- design topology
- configuration system
- Run-in debugging
- use
3, 4 Backtracking multiple times to reduce false positives and false negatives
5 deployment
Network-based IDS
- DMZ
- Detect all attacks against servers that provide services to users
- Detect external attacks and firewall issues
- Extranet entrance
- It can detect all the data entering and exiting the external network port of the firewall
- Process incoming and outgoing data
- but cannot locate the address
- Intranet backbone
- The network data that flows out of the intranet and flows into the intranet after being filtered by the firewall
- Know the source and destination address
- Detect the intranet to improve the efficiency of attack detection
- key subnet
- Detects all abnormal network behavior from internal as well as external
- Resource deployment is funny
based on host
Mainly installed on key hosts
To be configured according to the idle load capacity of the server itself
Alarm strategy
How to report to the police and what kind of alarm to choose
Ensure that the interactive interface is physically isolated from the target network and does not affect other
Advantages and limitations
- analysis behavior
- Test security status
- generate data
- help managers
limitations
- It can only be discovered, it cannot be repaired/corrected nor prevented.
- Highly loaded hosts are difficult to detect
- Difficult to detect employee excesses based on knowledge/uselessness
- Allergies cause denial of service attacks
- Pure swap environment doesn't work
Secret pot technology is to build a false network and lure hackers to attack this false network, so as to achieve the purpose of protecting the real network