An overview of the virtualization development of IDs

First, why should IDs be virtualized

Intrusion detection System (IDS) is an analytical tool used to detect hacker intrusion. The early approach was to monitor and analyze the system log (host IDs), and then to monitor the traffic image directly (network IDs) because the log was easily "erased" by the hacker. With the game of offense and defense, the development of IDS has two technical bottlenecks: one is because of hackers to avoid the development of technology, found that the "trail" of hackers more and more difficult, the most commonly used "feature recognition" needs to build an attacker's "fingerprint library", with the passage of time, the fingerprint library more and more large, compared to the time naturally longer, On-line monitoring devices often only pick up the most commonly used feature ratios, and ignore the "uncommon" characteristics, intruders "escape" is very common thing; the second is the accuracy of detection, because the single point of sampling, can not cross engine analysis, insufficient information to produce a large number of suspected "security incidents", the need for security personnel manual treatment, therefore, Depth analysis, multi-clue Intelligence Association, reducing the number of suspected events is an inevitable way for IDs to develop.

To solve these two difficulties, it is necessary to greatly increase the processing capacity of IDs. multi-core CPUs are a way of doing it, but the increase in the number of cores is limited in the face of the increasing updating of network bandwidth. So, people think of virtualization: People can be more than a common PC server virtualization, become a large logical server, the ability to be comparable to a supercomputer, how can not turn multiple IDs into a giant IDs?

Of course, urging IDs to change is another shock wave is the rise of cloud computing, because the cloud computing service model centralizes the various businesses of different users, the legitimate person of the business may be an intruder in another business, IDs needs to be monitored by different users, the business boundaries are blurred, and the user's need for IDs The hope is to use on demand.

In short, in the cloud computing, the user's business "running" in the virtual machine, no longer corresponding to the specific server or storage equipment, the flow between the virtual machine is no longer necessarily through the network equipment, network IDs has not found its own monitoring location.

Second, how IDs virtualization

The goal of virtualization is to invoke IDs just as you would with "tap water," which means to dynamically adjust the processing capabilities of IDs based on user traffic. One way is to turn IDs into calling programs (pure software), embedded in the user's virtual machine, like antivirus software running on the user's operating system, this way to occupy the resources of the virtual machine, and can be intruders "through" or "uninstall", another way is to put the user's traffic, in the process leading to the IDs , purify and then continue business processing, this is what we call the Virtual IDs resource pool.

Virtual IDs resource pool approach, virtualization is divided into two steps:

1. More virtual one: Also known as "hard virtual soft", the multiple physical IDs (can say different manufacturers, different models) virtual for an IDS resource pool (or called IDs Group). Through the IDs group controller dispatching the IDs resources in the pool, the group controller is usually two-machine hot standby mode, which is used to manage the IDs resource pool, dispatch and assign the user traffic to the backstage physical IDs, and complete the load balancing function;

Physical IDs are connected through high-performance switches, which can dynamically increase or unload physical IDs, and the IDs Group Controller is responsible for checking their "surviving" status and deciding whether to allocate the business to it for processing.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/