Information Security: Principles and Applications of Intrusion Detection Technology. (IDS)

◆ A general intrusion detection framework model is proposed, referred to as CIDF . This model believes that the intrusion detection system consists of an event generator, an event analyzer, a response unit and an event database .

(2) Intrusion detection function:

◆ The intrusion detection system plays a role similar to that of an "early warning machine" or a "security patrol" in the process of network security . The direct purpose of the intrusion detection system is not to prevent the occurrence of intrusions , but to detect attempts or violations in the system through detection technology. Security policy behavior . Its function is manifested in the following aspects:

① Discover intrusion or abnormal behavior in the protected system ;

② Check the effectiveness of safety protection measures ;

③Analyze the threats faced by the protected system ;

④ It is helpful to prevent the expansion of security incidents and timely alarm to trigger network security emergency response ;

⑤ Can provide important guidance for the formulation of network security strategies ;

⑥Alarm information can be used for cybercrime evidence collection ;

◆ Intrusion detection technology is also commonly used for network security situational awareness (the key core technology is IDS) to obtain the security status of network information systems. Network security situational awareness platforms usually aggregate alarm data from intrusion detection systems , especially alarms distributed in different security areas, and then use comprehensive technical methods such as data correlation analysis and time series analysis to provide judgment on network security status and attack development and evolution. trend.

Intrusion Detection Technology:

(1) Misuse-based intrusion detection technology:

◆ Misuse of intrusion detection is usually called signature-based intrusion detection method, which refers to detecting intrusion behavior based on known intrusion patterns . Attackers often exploit vulnerability technologies in systems and application software to carry out attacks , and these vulnerability-based attack methods have certain characteristic patterns.

◆ Misuse intrusion detection depends on the attack pattern library . The detection capability of IDS products using misused intrusion detection technology depends on the size of the attack pattern library and the coverage of the attack methods .

◆ The prerequisite for misuse of intrusion detection is that the intrusion behavior can be characterized in a certain way, and the process of intrusion detection is actually a pattern matching process .

◆ Here are some common misuse detection methods:

▶ Misuse detection method based on conditional probability :

The misuse detection method based on conditional probability corresponds the intrusion method to an event sequence , then observes the event sequence, applies Bayes' theorem to reason, and speculates on the intrusion behavior.

▶ Misuse detection method based on state transition :

The state migration method uses state diagrams to represent attack characteristics , and different states describe the characteristics of the system at a certain moment . The initial state corresponds to the system state before the invasion starts, and the harm state corresponds to the system state at the moment of successful invasion. The transition between the initial state and the hazardous state may have one or more intermediate states. The attacker's operations will cause state migration, causing the system to migrate from the initial state to a compromised state. The misuse detection method based on state migration discovers intrusion behavior in the system by checking the state changes of the system .

▶ Misuse detection method based on keyboard monitoring :

The misuse detection method based on keyboard monitoring assumes that intrusion behavior corresponds to a specific keystroke sequence pattern, and then monitors the user's keystroke pattern and matches this pattern with the intrusion pattern to detect intrusion behavior . The disadvantage of this method is that it lacks a reliable way to capture user keystrokes without operating system support. Additionally, there may be multiple keystrokes representing the same attack. Moreover, without keystroke semantic analysis, it is easy for users to provide aliases to fool this detection technology. Finally, this method is not able to detect automated attacks by malicious programs .

▶ Rule- based misuse detection methods:

The rule-based misuse detection method expresses the attack behavior or intrusion pattern as a rule , and as long as it meets the rules, it is considered an intrusion behavior;

① Advantages: relatively simple to detect;

② Disadvantages: That is, detection is limited by the rule base, cannot detect new attacks, and is susceptible to interference;

Currently, most IDS adopt this approach;

(2) Anomaly-based intrusion detection technology:

◆ The anomaly detection method refers to establishing a "trajectory" of the normal behavior of the system through statistical analysis of computer or network resources , defining a set of values for the system's normal conditions, and then comparing the values when the system is running with the defined normal conditions to obtain Are there any signs of attack?

◆ The premise of anomaly detection is that abnormal behavior includes intrusion behavior . Ideally, the abnormal behavior set is equivalent to the intrusion behavior set. At this time, if the IDS can detect all abnormal behaviors, it means that all intrusion behaviors can be detected. However, in reality, the set of intrusive behaviors is usually not equivalent to the set of abnormal behaviors. In fact, there are 4 specific behaviors:

①The behavior is an intrusion, but does not appear abnormal;

②The behavior is not an intrusion, but behaves abnormally;

③The behavior is neither intrusive nor abnormal;

④The behavior is intrusive and behaves abnormally;

◆ The basic idea of the anomaly detection method is to construct a collection of abnormal behaviors and find intrusion behaviors from them. Anomaly detection depends on the establishment of anomaly models, and different models constitute different detection methods.

◆ The following introduces several common anomaly detection methods :

▶ Statistics- based anomaly detection method:

The statistical-based anomaly detection method is to use mathematical statistical theory and technology to construct the characteristic profile of the normal behavior of the user or system;

▶ Anomaly detection method based on pattern prediction :

The prerequisite of the anomaly detection method based on pattern prediction is that the event sequence does not occur randomly but obeys a certain discernible pattern, which is characterized by taking into account the interconnection between event sequences;

▶ Anomaly detection method based on text classification :

The basic principle of the anomaly detection method based on text classification is to regard the system calls of the program as "words" in a document , and the collection of system calls generated by the process running generates a "document". For the "documents" generated by each process, the K-nearest neighbor clustering text classification algorithm is used to analyze the similarity of the documents and find abnormal system calls to detect intrusion behavior;

▶ Anomaly detection method based on Bayesian reasoning :

The anomaly detection method based on Bayesian reasoning refers to measuring the variable values of A1, A2, ..., An at any given moment, and reasoning to determine whether an intrusion has occurred in the system ;

(3) Others:

◆ Specification-based detection methods:

The specification-based intrusion detection method is between anomaly detection and misuse detection . Its basic principle is to use a policy description language PE-grammars to define in advance the safe operation execution sequence of system privileged programs. Each privileged program has a group Sequences of security operations that constitute the security tracking policy for privileged programs. If the operation sequence of the privileged program does not comply with the defined operation sequence, an intrusion alarm will be issued. The advantage of this approach is that not only known attacks can be discovered, but also unknown attacks.

◆ Detection methods based on biological immunity:

The detection method based on biological immunity refers to imitating the working mechanism of the immune system of biological organisms, so that the protected system can distinguish "non-self" offensive behaviors from "self" legitimate behaviors. .

◆ Detection method based on attack deception:

The detection method based on attack deception refers to providing some false system or vulnerability information to the intruder . If the intruder uses this information to attack the system, it can be inferred that the system is being invaded, and the security administrator can also seduce the intruder. This Track the source of the attack in one step.

◆ Correlation detection method based on intrusion alarm:

The correlation detection method based on intrusion alarm discovers complex attack behaviors through classification and correlation analysis of original IDS alarm events . The methods can be divided into three categories: the first category performs alarm correlation analysis based on the similarity of alarm data; the second category performs alarm correlation analysis by manually setting parameters or through machine learning methods; the third category performs alarm correlation analysis based on the prerequisites of a certain attack. Perform alarm correlation analysis with results.

◆ Detection method based on sandbox dynamic analysis:

The detection method based on sandbox dynamic analysis refers to forming a safe sandbox for program running by constructing a controlled security environment for program running, and then monitoring the running status of suspicious malicious files or programs in the safe sandbox to obtain information about suspicious malicious files or programs. Dynamic information, and finally detect whether the relevant information is abnormal , thereby discovering intrusion behavior.

◆ Detection methods based on big data analysis:

The detection method based on big data analysis refers to forming a network security big data resource pool by aggregating multiple data resources such as system logs, IDS alarm logs, firewall logs, DNS logs, network threat intelligence, and entire network traffic, and then using artificial intelligence technology , perform machine learning based on network security big data to discover intrusion behaviors. Common big data analysis and inspection technologies include data mining, deep learning, data association, data visualization analysis, etc.

Intrusion detection system composition and classification:

(1) Intrusion detection system composition:

◆ The intrusion detection system mainly consists of the following functional modules: data collection module, intrusion analysis engine module, emergency processing module, management configuration module and related auxiliary modules.

▶ Function of the data collection module: Provide analysis data for the intrusion analysis engine module, including operating system audit logs, application running logs and network data packets, etc.

▶ Function of the intrusion analysis engine module: Based on the information provided by the auxiliary module (such as attack mode), the collected data is analyzed according to a certain algorithm to determine whether there is an intrusion behavior and generate an intrusion alarm. This module is the core module of the intrusion detection system.

▶ The function of the management configuration module: provides configuration services for other modules and is the interface between modules in the IDS system and users .

▶ Functions of the emergency processing module: After an intrusion occurs, provide emergency response services, such as shutting down network services, interrupting network connections, starting backup systems, etc.

▶ Function of the auxiliary module: Assist the intrusion analysis engine module to work and provide it with corresponding information, such as attack signature database, vulnerability information, etc.

(2) Host-based intrusion detection system:

◆ Host-based intrusion detection system, referred to as HIDS . HIDS collects information such as log files, system calls, application usage, system resources, network communications, and user usage of the host system, analyzes whether the information contains attack characteristics or abnormalities, and uses this to determine whether the host has been intruded. Intrusion behavior will cause changes in the host system. Therefore, in actual HIDS products, CPU utilization, memory utilization, disk space size, network port usage, registry, file integrity, process information, system calls, etc. often change. As a basis for identifying intrusion events.

◆ HIDS is generally suitable for detecting the following intrusions:

▶ Port or vulnerability scanning for hosts;

▶ Repeated failed login attempts;

▶ Remote password cracking;

▶ Add the user account of the host system;

▶ Service start or stop;

▶ System restart;

▶ File integrity or permission changes;

▶ Registry modification;

▶ Changes to important system startup files;

▶ Abnormal program calls;

▶ Denial of service attack;

◆ Advantages of host-based intrusion detection system :

▶ Can detect attacks that cannot be detected by intrusion detection systems based on the network;

▶ Host-based intrusion detection systems can run on networks that apply encryption systems, as long as the encrypted information is decrypted on or before arrival at the monitored host;

▶ Host-based intrusion detection systems can run on switched networks:

◆ Disadvantages of host-based intrusion detection systems :

▶ An information collection module must be installed and maintained on each monitored host;

▶ Since part of HIDS is installed on the attacked host, HIDS may be attacked and compromised by the attacker;

▶ HIDS occupies the system resources of the protected host system and reduces the performance of the host system;

▶ Network scans that target all hosts on the network cannot effectively detect:

▶ Inability to effectively detect and handle denial of service attacks;

▶ Can only use the computing resources of the host it monitors;

(3) Network-based intrusion detection system:

◆ Network-based intrusion detection system, referred to as NIDS . NIDS listens to the network system, captures network data packets , and identifies intrusion behavior based on whether the network packets contain attack characteristics or whether the network communication flow is abnormal.

◆ NIDS usually consists of a group of computers with a single purpose , which are mostly divided into two parts: detectors and management controllers .

▶ Detectors are distributed in different areas of the network and obtain network packets through listening (sniffing). The detectors will detect attack behaviors and form alarm events, send alarm information to the management controller, and report the occurrence of intrusions.

▶ The management controller can monitor detectors in different network areas and receive alarm information from detectors.

◆ Generally speaking, NIDS can detect the following intrusions:

▶ SYN Flood;

▶ Distributed Denial of Service Attack (DDoS);

▶ Network scanning;

▶ Buffer overflow;

▶Protocol attack;

▶ The flow is the most abnormal;

▶ Illegal network access;

◆ Advantages of network-based intrusion detection system:

▶ Proper configuration can monitor the security status of a large network;

▶ The installation of network-based intrusion detection systems has little impact on the existing network and is usually a passive device. They only monitor the network and do not interfere with the normal operation of the network;

▶ Network-based intrusion detection systems can avoid attacks very well and are even invisible to attackers;

◆ Disadvantages of network-based intrusion detection systems:

▶ In high-speed networks, it is difficult for NIDS to process all network packets, so missed detections may occur;

▶ Switches can divide the network into many small unit VLANs, but most switches do not provide unified monitoring ports, which reduces the monitoring scope of network-based intrusion detection systems;

▶ If network traffic is encrypted, the detectors in NIDS cannot effectively analyze the protocols in the data packets;

▶ NIDS cannot infer the execution results of commands by relying only on network traffic, and therefore cannot determine whether the attack is successful;

(4) Distributed intrusion detection system:

◆ Distributed intrusion detection system based on host detection:

▶ Distributed intrusion detection system based on host detection, referred to as HDIDS , is divided into two parts : host detector and intrusion management controller .

▶ Host detectors are mostly installed directly on each protected host system in the form of a security agent, and are remotely controlled through the system management console in the network. This centralized control method facilitates status monitoring and management of the system and updating of the software of the detection module.

◆ Network-based distributed intrusion detection system:

▶ Network-based distributed intrusion detection system, referred to as NDIDS .

▶ The structure of NDIDS is divided into two parts: network detector and management controller . Network detectors are deployed in important network areas, such as the network segment where the server is located, and are used to collect network communication data and business data flows. The collected information is analyzed by using two methods: abnormality and misuse. If an attack or abnormality occurs, Network behavior will send alarm information to the management controller.

▶ NDIDS is generally suitable for large-scale networks or geographically dispersed networks. Using this structure is beneficial to realizing distributed security management of the network. Network intrusion systems currently on the market generally support distributed structures.

Main products and technical indicators of intrusion detection system:

(1) Intrusion detection related products:

◆ Host intrusion detection system:

▶ The technical principle of the product is to detect intrusion behavior based on host activity information and important files, using comprehensive technical methods such as feature matching, system file monitoring, security rule compliance inspection, file digital fingerprinting, and big data analysis.

◆ Network intrusion detection system:

▶ The technical principle of the product is to analyze network traffic data and use technical methods such as feature detection and protocol anomaly detection to discover intrusion behavior.

◆ Unified threat management:

▶ Unified threat management (UTM for short) usually integrates functional modules related to intrusion detection systems and is one of the manifestations of intrusion detection technology products.

▶ Unified threat management is a specialized device composed of hardware, software and network technology. The device mainly provides one or more security functions and integrates multiple security features into one hardware device to form a standard unified threat Management platform.

◆ Advanced persistent threat detection:

▶ Advanced Persistent Threat (APT) is a sophisticated attack technology that usually embeds malicious code in Word documents, Excel documents, PPT documents, PDF documents or emails to achieve more covert network attacks and evade ordinary network security examine.

◆ Others:

▶ According to the application objects of intrusion detection, common product types include Web IDS , database IDS , industrial control IDS , etc.

(2) Intrusion detection related indicators:

◆ Reliability: The protected system must be monitored continuously. Therefore, the intrusion detection system is required to be fault-tolerant and can operate continuously.

◆ Availability: The operating cost of the intrusion detection system should be as small as possible, and the performance of the host computer and network system should not be affected.

◆ Scalability: Easy configuration modification and ability to install and deploy.

◆ Timeliness: Alarm data must be analyzed as soon as possible and the analysis results must be transmitted to the alarm console.

◆ Accuracy: the ability to correctly detect system intrusion activities.

◆ Security: It has the security function to protect itself and can resist attack interference.

Intrusion detection system applications:

(1) Intrusion detection application scenario types:

① Internet protection;

② Website intrusion detection and protection;

③ Block network attacks;

④ Host/terminal malicious code detection;

⑤ Network security monitoring, early warning and emergency response;

⑥ Network security level protection;

(2) Intrusion detection system deployment method:

The first step is to determine the objects or protected network segments to be monitored by the IDS according to the security policy requirements of the organization or company;

The second step is to install an IDS detector on the monitoring object or protected network segment to collect the information required for network intrusion detection;

The third step is to formulate corresponding detection strategies based on the security needs of the monitored objects or protected network segments;

The fourth step is to select the appropriate IDS structure type according to the detection strategy;

The fifth step is to configure intrusion detection rules on the IDS;

The sixth step is to test and verify whether the security policy of IDS is executed normally;

Step 7: Run and maintain IDS;

(3) Host threat detection based on HIDS:

◆ HIDS is generally used to detect intrusions against a single host . Its main application methods are as follows:

▶ Single-machine application : In this application mode, the HIDS system can be installed directly on the monitored host;

▶ Distributed application : This application method requires the installation of a manager and multiple host detectors (Sensors). The manager controls multiple host sensors (Sensors), so that the security status of multiple hosts can be remotely monitored;

(4) Intranet threat detection based on NIDS:

◆ Connect the detector of network IDS to the broadcast hub of the intranet or the Probe port of the switch . The detector collects internal network traffic data and then monitors network activities on the internal network based on network traffic analysis, thereby discovering intrusions on the internal network.

(5) Network boundary threat detection based on NIDS:

◆ The detector of NIDS is connected at the border of the network, collects the data packets communicated with the internal network, and then analyzes the intrusion behavior from the outside .

(6) Network security situational awareness application reference:

◆ Network security situation awareness monitors the network security situation by aggregating IDS alarm information and system logs, and then using big data analysis technology to analyze the security status of the network system .

(7) Open source network intrusion detection system:

◆ Snort is a commonly used network intrusion detection system . Its basic technical principle is to obtain network data packets, then conduct intrusion detection based on security rules, and finally form alarm information.

◆ Snort rules consist of two parts, namely rule header and rule options .

◆ The rule header includes : rule operation (action), protocol (protocol), source address and destination IP address, network mask, source address and destination port number information .

◆ Rule options include : alarm message, part of the information of the inspected network packet and the action that the rule should take .

(8) Huawei CIS network security intelligent system application:

◆ Huawei CIS (Cyber Security Intelligence System) adopts the latest big data analysis and machine learning technology to defend against APT attacks . The technical principle of its product is to extract key information from massive data, through multi-dimensional risk assessment, and use big data analysis methods to correlate single-point abnormal behaviors, thereby restoring the APT attack chain, accurately identifying and defending against APT attacks, and avoiding the loss of core information assets.

Study books: Tutorial for Information Security Engineers.