Automatic intrusion defense

Intrusion detection is a technology that uses the traces left by intruders, such as logon Failure records to effectively discover illegal intrusions from external or internal sources. It takes detection and control as the technical essence and plays an active defense role, which is an extremely important part of network security. This article briefly introduces the working principle, classification, functional structure and development status of intrusion detection technology.Technical Principles of Intrusion DetectionIntrusion detection can be divided into real-time intrusion detection and post-event intrusion detection. The principles are as follows: Real-time intrusion detection is performed during network connection, the system determines the user's current operations based on the user's historical behavior model, the expert knowledge stored in the computer, and the neural network model. Once an intrusion is detected, the system immediately disconnects the intruder from the host, collect evidence and implement data recovery. This detection process is continuously carried out. Afterwards, intrusion detection is carried out by network administrators. They have the professional knowledge of network security and determine whether a user has intruded Behaviors Based on the historical audit records of user operations performed by computer systems, if yes, disconnect and record Intrusion Evidence and recover data. After-event intrusion detection is performed on a regular or irregular basis by administrators and is not real-time. Therefore, the ability to defend against intrusions is inferior to that of a real-time intrusion detection system.Classification of Intrusion Detection Methods1. intrusion detection method based on the statistical model of user behavior probability. This intrusion detection method is based on modeling of user historical behavior and early evidence or model, the audit system detects the usage of the system in real time and detects the user behavior probability statistics model stored in the system. When suspicious user behavior is detected, keep track of and monitor and record the user's behavior. The system generates a historical behavior record library for each user based on the previous behavior of each user. When the user changes their behavior habits, this exception will be detected. 2. Neural Network-Based Intrusion Detection This method uses neural network technology for intrusion detection. Therefore, this method has the learning and adaptive functions for user behavior, and can effectively process and determine the possibility of intrusion based on the actual detected information. However, this method is not yet mature and there are no well-developed products. 3. based on the intrusion detection technology of the expert system, this technology forms a set of reasoning rules based on the analysis experience of security experts on suspicious behaviors, and then establishes the corresponding expert system on this basis, the expert system automatically analyzes the intrusion behavior involved. The system should be able to use its self-learning capability to expand and correct rules as experience accumulates. 4. model-based reasoning-based intrusion detection technology based on the characteristics of certain behavioral programs executed by intruders during intrusion, this technology establishes an intrusion behavior model, the behavior characteristics of the intrusion intention represented by this behavior model are used to determine whether the operation performed by the user is an intrusion behavior. Of course, this method is also based on the current known intrusion behavior program, model recognition of the Behavior Program executed by the unknown intrusion method requires further learning and expansion. Each of the preceding methods cannot accurately detect ever-changing intrusions. Therefore, the advantages and disadvantages of various methods should be fully measured in network security protection, and these methods can be used to effectively detect illegal acts of intruders. In general, the functions and structure of the intrusion detection system include: monitoring the running status of users and systems, and searching for unauthorized and legal users for unauthorized operations. Checks System Configuration correctness and security vulnerabilities, and prompts the Administrator to fix the vulnerabilities. Conducts statistical analysis on abnormal activities of users to discover the pattern of intrusions. Check the consistency and correctness of system programs and data. Such as calculating and comparing the checksum of a file system. It can respond to detected intrusion behaviors in real time.Audit Trail management of the operating system.Based on the functions of the above intrusion detection system, the function structure can be divided into two major parts: the central detection platform and the proxy server. The proxy server collects audit data from various operating systems, converts audit data to platform-independent formats, and then transmits the data to the central detection platform, you can also transfer the audit data requirements of the central platform to various operating systems. The central detection platform consists of expert systems, knowledge bases, and administrators. Its function is to analyze Expert Systems Based on audit data collected by the proxy server and generate system security reports. Administrators can provide security management functions for each host and send audit data to each proxy server based on expert system analysis. In addition, the Central detection platform communicates with the proxy server through secure RPC. The functional structure is shown in the right figure: the development status of intrusion detection technology. At present, some foreign research institutions have developed several typical Intrusion Detection Systems (IDS) applied to different operating systems ), they usually use static exception models and misuse models of rules to detect intrusions. These IDS are detected based on servers or networks. Server-based IDS use the detection sequence of the server operating system as the main input source to detect intrusions, while most network-based IDS use monitoring network faults as the detection mechanism, however, some use server-based detection modes and typical IDS static exception algorithms. The early IDS model was designed to monitor a single server and is a host-based intrusion detection system. However, more models recently are used to monitor multiple servers connected through networks, is a network-based intrusion detection system. In short, intrusion detection technology plays a vital role in network security protection, so it has been widely valued. We believe that with the continuous improvement and improvement of detection technology, we will be able to build a more secure and reliable network protection system.