About the development of IDS Virtualization

I. Why is IDS virtualized?
Intrusion Detection System (IDS) is an analysis tool used to detect hacker intrusions. The early method was to monitor and analyze system logs (Host IDS), and then directly monitor traffic images (network IDS) Because logs are easily erased by hackers ). With the Attack and Defense Games between the two sides, the development of IDS has encountered two technical bottlenecks: first, because hackers evade the development of technology, it is increasingly difficult to find the "traces" of hackers, the most commonly used "feature recognition" requires the establishment of an attacker's "Fingerprint Database". Over time, the fingerprint database will become larger and larger, and the comparison will take a long time, online Monitoring equipment can only compare the most commonly used features, while ignoring the "not commonly used" features. Intruders "miss the network" is a common problem. Second, the accuracy of detection, because of spof, cross-engine analysis is not allowed, and insufficient information leads to a large number of suspected "Security Events", which must be manually handled by security maintenance personnel. Therefore, deep analysis and smart Association of multiple clues are required, reducing the number of suspected events is inevitable for IDS development.
To solve these two difficulties, it is necessary to greatly increase the processing capability of IDS. Multi-core CPU is one way, but with the increasing network bandwidth, the increase in multi-core is limited. As a result, people think of Virtualization: People Can Virtualize multiple common PC servers into a large logical server with the same capabilities as a giant computer, why can't I turn multiple IDS into a giant IDS?
Of course, urging the transformation of IDS is another wave of the rise of cloud computing, because the cloud computing service model brings together various businesses of different users, and the legal person of this business may be the intruders of another business, IDS needs to be monitored based on the needs of different users. The business boundary is blurred. Users need IDS and want to use them as needed.
In short, in cloud computing, Users' Services are "running" on virtual machines and no longer correspond to specific servers or storage devices. The traffic between virtual machines no longer has to go through network devices, the network IDS cannot find its own monitoring location.
 
Ii. How to virtualize IDS
The goal of virtualization is to call IDS just like using "Tap Water", that is, dynamically adjust the processing capability of IDS based on user traffic. One way is to convert IDS into calling programs (software-only) and embed them into users' virtual machines. They run on users' operating systems like anti-virus software, this method occupies resources of virtual machines and can be "penetrated" or "uninstalled" by intruders. The other method is to process user traffic and direct it to IDS, this is what we call the virtual IDS resource pool.

The virtual IDS resource pool approach involves two steps:
1. Multi-virtual one: Also known as "Hard virtual soft", virtualizes multiple physical IDS (different manufacturers and different models) into an IDS resource pool (or IDS group ). IDS Resources in the scheduling pool are scheduled by the IDS group controller. Generally, the group controller is a hot standby mode used to manage IDS resource pools, schedule and allocate user traffic to physical IDS in the background, complete the load balancing function;
Physical IDS are connected through high-performance switches, so that physical IDS can be dynamically added or detached. The IDS group Controller is responsible for checking their "alive" status and determining whether to allocate services to them for processing.
2. one virtual multiple: IDS virtualization portal, allocates a virtual IDS (Virtual IPS) based on the traffic and security requirements of each user ), A user label is assigned to the user's traffic. In the virtual IDS system, this label is the unique identifier of the user's traffic;
Because user data packets contain user tags, the IDS group Controller is responsible for allocating user traffic and only checks the status of the corresponding physical IDS. Subsequent data packets directly reach the physical IDS without passing through the IDS controller, therefore, the Controller has a small load, but only the control flow, rather than the sum of the business flow;
When a user's traffic is allocated to multiple physical IDS for processing, we recommend that you use a time segment segmentation algorithm that completely restores the malicious code for segmented transmission in the IDS buffer.
User tags are also attached to the results of the virtual IDS detection and sent to the security monitoring platform for tracking and processing.
 
Behavior detection virtual IDS:
In order to adapt to the behavior matching mode of IDS and track the hacker's "slow attack" behavior, we have created a behavior detection virtual IDS with powerful processing capabilities, long-term tracking of user behaviors that comply with specific attack rules. Because slow attacks require long-term recording of user behavior, this ultra-large virtual IDS requires a large cache space.
 
Iii. Structure Design of IDS Virtualization

In this structure design, the IDS virtualization management platform is the core part. The first part of it supports the user virtualization IDS service, and the last part is the dynamic allocation of IDS processing capabilities.
Server Load balancer Management is responsible for the correspondence between virtual IDS and physical IDS. Based on the processing capability, it can be one-to-many or multiple-to-one. It can also dynamically add or uninstall physical IDS, therefore, the capacity change of the entire virtual IDS pool does not affect your applications. When the overall processing capability is insufficient, foreground security policies can prioritize resource allocation based on user traffic and security levels to ensure the needs of key users.
The image and migration management of the virtual IDS ensures that the virtual IDS dynamically runs on different physical IDS and backs up each other in redundancy to ensure that when a physical IDS goes down, virtual IDS are automatically migrated to other physical machines without affecting Users' Services.
 
This article is from the "Jack zhai" blog