1. What is IDS?
An intrusion detection system (IDS) is a network security device that monitors network transmissions in real time and issues alarms or takes proactive response measures when suspicious transmissions are discovered. What makes it different from other network security devices is that IDS is a proactive security protection technology.
2. What is the difference between an IDS and a firewall?
Firewall is a passive defense against hacker attacks, aiming to protect; IDS is to proactively look for potential attackers and detect intrusions.
A firewall is a defense system set up between the protected network (local network) and the external network (mainly the Internet).
The firewall only focuses on defense, and the data passing through the firewall will no longer undergo any operations. The IDS performs real-time detection and responds when intrusion is discovered. It is a patch for the weaknesses of the firewall;
Firewalls can allow some internal hosts to be accessed from the outside, but IDS does not have these functions and only monitors and analyzes user and system activities.
3. How does IDS work?
Network-based IDS (real-time, online):
After network traffic enters the IDS, the IDS will analyze and compare the traffic, and determine whether the traffic is similar to known attacks by using known patterns and rule matching, feature detection, etc. aggressive behavior.
Host-based IDS (passive, offline):
Host-based IDS is also known as HIDS. It runs on a single host, monitors operations and events on the host, and detects possible intrusion events by analyzing host behavior and comparing it with important data.
4. What are the detailed descriptions of the main detection methods of IDS?
attack detection
Intrusion detection is similar to a security patrol, focusing specifically on finding suspicious persons.
Passively, offline detection of attackers in computer network systems.
Real-time, online detection of attackers in computer network systems.
Anomaly detection
(1) Statistical anomaly detection method:
Establish a feature profile table for each user based on the user object's activities, and determine the abnormality of the current behavior by comparing the current features with previously established features. The user profile table should be continuously updated based on audit records, and it should be protected from multiple measurement indicators. These indicator values should be obtained based on experience values or statistics over a period of time.
(2) Feature selection anomaly detection method:
Select feature values that can detect intrusion behavior from a set of feature values to form a corresponding intrusion feature library, which is used to predict intrusion behavior. The key is whether appropriate feature values can be selected for specific intrusion types. Therefore, an ideal intrusion detection signature database needs to be able to make dynamic judgments.
(3) Bayesian network anomaly detection method:
Calculate the connection probability distribution of random variables by specifying a small probability set related to adjacent nodes.
(4) Anomaly detection method based on Bayesian inference:
by measuring variable values at any given moment, reasoning determines whether an intrusion event has occurred in the system.
(5) Anomaly detection method based on pattern prediction:
The event sequence does not occur randomly but follows a certain discernible pattern. This is the assumption of the anomaly detection method based on pattern prediction. Its characteristic is that the event sequence and interrelationships are taken into account, and only Focusing on a small number of relevant security events is the greatest advantage of this detection method.
Misuse detection
Also known as feature detection, one of the two basic analysis methods commonly used by IDS, also known as knowledge-based detection technology. Analyze known intrusion behaviors and methods, extract detection features, construct attack patterns or attack signatures, and determine intrusion behaviors.
(1) Probabilistic misuse detection method based on conditions
(2) Misuse detection method based on expert system (3) Misuse detection method
based on state transition analysis (4) Misuse detection method
based on keyboard monitoring
(5) Misuse detection method based on model method
5. What are the deployment methods of IDS?
Network border deployment: IDS is deployed at the network border to monitor and intercept attack traffic. This method is suitable for network environments that open services to the outside world, such as Web servers. The advantage is that attacks can be detected and protected before they enter the internal network, but the disadvantage is that attacks cannot be detected within the internal network.
Internal traffic deployment: IDS forwards all network traffic to the IDS device through mirror ports or TAP ports for detection and monitoring. This method can detect all unauthorized activities, insider attacks, and various information leaks in the network.
Distributed deployment: The IDS is installed in multiple locations and monitors network traffic related to its location. This method can improve the security and reliability of the entire network, but the disadvantage is that the maintenance cost is high.
Hybrid deployment: IDS is deployed together with other security devices (such as firewalls, IPS, etc.) to play a synergistic role in protecting network security.
Host internal deployment: also known as HIDS (Host Intrusion Detection System), deployed on the host that needs to be protected, it can detect and defend against various abnormal behaviors in the host.
6. What does the IDS signature mean? What does the signature filter do? What is the function of exception signature configuration?
(1) IDS signature: Intrusion prevention signatures are used to describe the characteristics of attack behaviors that exist on the network, and detect and prevent attacks by comparing data flows with intrusion prevention signatures.
(2) The role of signature filter : A signature filter is a collection of several signatures. Based on specific conditions such as severity, protocol, threat type, etc., the signatures in the IPS signature database that are applicable to the current business are filtered into the signature filter. Later, you can focus on the defensive effects of these signatures. Normally, for these filtered signatures, the default action of the signature itself will be used in the signature filter. In special cases, we can also set new actions for these signatures in the signature filter, which is very convenient.
(3) Exception signature
Since the signature filter filters out signatures in batches, it is usually set to a unified action for the convenience of management. If the administrator needs to set certain signatures to actions different from those of filters, they can introduce these signatures into exception signatures and configure the actions separately.
The function of exception signatures is to allow more detailed traffic release and precise control.
The actions of the exception signature are divided into :
Block: Discard the packets that match the signature and record the log.
Alarm: The packets that match the signature are allowed, but the log is recorded.
Release: The packets that match the signature are released and no logs are recorded.
Adding a blacklist: refers to discarding packets that match the signature, blocking the data flow where the packets are located, recording logs, and adding the source address or destination address of the packet to the blacklist.