Generally speaking, when an enterprise or organization is going to enter this field, it often chooses to start with a network-based IDS, because there are many open source codes and materials on the Internet, which are relatively easy to implement, and the network-based IDS has strong adaptability . With the development experience of simple network IDS, it will be much easier to move towards host-based IDS, distributed IDS, intelligent IDS, etc. Here, the author will take network-based IDS as an example to introduce typical IDS development ideas.
According to the CIDF specification, we divide the intrusion detection system into four basic parts functionally: data acquisition subsystem, data analysis subsystem, console subsystem, and database management subsystem, as shown in the attached figure.
Specifically, the data acquisition subsystem (also known as the detector) and the data analysis subsystem are generally implemented on the Linux or Unix platform, which we call the data acquisition and analysis center; the console subsystem is implemented on Windows NT or 2000 , the database management subsystem is based on Access or other more powerful databases, and is mostly combined with the console subsystem, which we call the control management center. This article takes Linux and Windows NT platforms as examples to introduce the implementation of the data collection analysis center and control management center.
You can build a basic intrusion detection system by following the steps below.
The first step is to obtain libpcap and tcpdump
The audit trail is the data source of IDS, and the data collection mechanism is the basis for realizing IDS. Otherwise, a smart woman cannot cook without rice, and intrusion detection will be out of the question.
The data collection subsystem is located at the bottom of IDS, and its main purpose is to obtain events from the network environment and provide events to other parts. The more popular approach at present is to use libpcap and tcpdump to put the network card in "promiscuous" mode and capture all data flows on a certain network segment.
Libpcap is an essential tool for Unix or Linux to capture network packets from the kernel. It is an API interface independent of the system and provides a portable framework for underlying network monitoring. It can be used for network statistics collection, security monitoring, network debugging and other applications .
tcpdump is a tool used for network monitoring. It may be the most famous sniffer on Unix. Its implementation is based on the libpcap interface. It prints the packet header by applying Boolean expressions, and specifically performs functions such as filtering and conversion, packet acquisition, and packet display. tcpdump can help us describe the normal behavior of the system and ultimately identify those abnormal behaviors. Of course, it is only useful for collecting information about the data flow (network flow type, connection, etc.) on a certain network segment. As for analyzing network activities, whether Well, that's what programmers and administrators do.
libpcap and tcpdump are widely circulated on the Internet, and developers can download them from relevant websites.
The second step is to build and configure the detector to implement the data collection function.
1. You should choose the appropriate software and hardware devices according to the specific conditions of your network. If your network data traffic is small, you can install Linux on a general PC. If the monitored network traffic is very large, you need to use a A machine with higher performance.
2. Create a log partition on the Linux server for storing collected data.
3. Create the libpcap library. The compressed package of libpcap.tar.z is usually downloaded from the Internet, so you should first unzip and unpack it, then execute the configuration script to create a Makefile suitable for your system environment, and then use the make command to create the libpcap library. After libpcap is installed, a libpcap library, three include files and a man page (ie user manual) will be generated.
4. Create tcpdump. Same as the process of creating libpcap, first decompress and unpack the compressed package to the same parent directory as libpcap, then configure and install tcpdump.
If the configuration, creation, installation and other operations are all normal, the system has been able to collect network data streams here. As for how to use libpcap and tcpdump, you need to refer to the relevant user manuals.
The third step is to establish the data analysis module
There are some open source data analysis software packages on the Internet, which provide us with certain convenience conditions for building data analysis modules, but these "free lunches" generally have great limitations. To develop a truly powerful and practical IDS usually requires developers to design data analysis modules by themselves, and this is often the focus of the entire IDS.
The data analysis module is equivalent to the brain of IDS, it must have a high degree of "intelligence" and "judgment ability". Therefore, before designing this module, developers need to have a clear and in-depth study of various network protocols, system vulnerabilities, attack methods, suspicious behaviors, etc., and then formulate corresponding security rule bases and security policies, and then establish abuse The detection model and anomaly detection model allow the machine to simulate its own analysis process, identify attacks and abnormal behaviors with known characteristics, and finally form an alarm message from the analysis results and send it to the control management center.
The workload of designing the data analysis module is huge, and considering that the hacking methods of "the road is as high as the magic is as high as the magic" are increasingly innovative, this is destined to be an endless process that requires constant updating, upgrading, and improvement. Three issues need special attention here: ① The design of detection models and algorithms should be optimized to ensure the execution efficiency of the system; ② The formulation of security rules should fully consider inclusiveness and scalability to improve the scalability of the system; ③ Alarm messages It is necessary to follow a specific standard format, enhance its sharing and interoperability, and avoid the non-standard practice of arbitrarily formulating message formats.
Step 4: Build the console subsystem
The console subsystem is responsible for reporting various network violations to the network administrator, and the administrator takes action against some malicious behaviors (such as blocking, tracking, etc.). Since Linux or Unix platforms are far less popular than commonly used Windows products in terms of supporting interface operations, in order to make IDS a universal and easy-to-use system, the author recommends implementing the console subsystem on the Windows series platform.
The console subsystem has two main tasks: ① Manage the data collection and analysis center and display the alarm messages sent by the data collection and analysis center in a friendly and easy-to-query manner; ② Carry out a series of response actions according to security policies to prevent illegal activities , ensure the security of the network.
The design focus of the console subsystem is: alarm information query, detector management, rule management and user management.
1. Alarm information query: Network administrators can use single conditions or compound conditions to query. When the amount of alarm information is large and comes from a wide range of sources, the system needs to classify the alarm information according to the risk level to highlight the most important information needed by the network administrator. .
2. Detector management: The console can manage multiple detectors at one time (including starting, stopping, configuring, viewing running status, etc.), query the security status of each network segment, and formulate corresponding security rules for different situations.
3. Rule base management function: Provide users with a tool to flexibly configure security policies according to the specific conditions of different network segments, such as one customization can be applied to multiple detectors, default security rules, etc.
4. User management: Strictly define user rights, provide password modification, add users, delete users, user rights configuration and other functions, effectively protect the security of system use.
Step 5: Build the database management subsystem
A good intrusion detection system should not only provide administrators with real-time and rich alarm information, but also record field data in detail, so as to reconstruct certain network events when forensics is needed in the future.
The front-end program of the database management subsystem is usually integrated with the console subsystem, and uses Access or other databases to store alarm information and other data. There are two sources of data for this module: ① alarm information and other important information sent by the data analysis subsystem; ② data obtained by the administrator after processing the query results after conditional query, such as generated local files, format reports, etc.
The sixth step is joint debugging. A basic IDS is built.
After completing the above steps, the most basic framework of an IDS has been implemented. But to make this IDS run smoothly, it is necessary to maintain safe and smooth communication and interaction among various parts, which is the problem to be solved by the joint debugging work.
First of all, it is necessary to realize the communication between the data acquisition and analysis center and the control management center, which is a two-way communication. The control management center displays and organizes the analysis results and other information sent by the data collection and analysis center. The data collection and analysis center receives configuration, management and other commands sent by the control management center. Pay attention to ensure the security of the communication between the two, and it is best to encrypt the communication data stream to prevent eavesdropping or tampering. At the same time, there are a large number of interactive operations between the console subsystem and database subsystem of the control management center, such as alarm information query, network event reconstruction, etc.
After the joint debugging is passed, a basic IDS is built. The next thing to do is to continuously improve the functions of various parts, especially to improve the detection ability of the system.