Basic of intrusion detection technology

1. The existence and development inevitability of IDS (Intrusion Detection System)

(1) The complexity of network security and passive defense methods are insufficient.

(2) related firewalls: devices with network boundaries can be attacked by themselves, and some attacks are poorly protected. Not all threats come from outside the firewall.

(3) Easy intrusion: Intrusion tutorials are everywhere; various tools are at your fingertips

2. Intrusion Detection)

● Definition: Collect and analyze information from several key points in a computer network or computer system, A security technology that detects violations of security policies and signs of attacks on networks or systems.

● Origin:

(1) computer security threat monitoring and surveillance, 1980 by James P. Anderson

For the first time, I elaborated on the concept of intrusion detection, proposed classification of computer system threats, and proposed the idea of using audit tracking data to monitor intrusion activities. This report is recognized as an example of the launch of intrusion detection.

(2) from 1984 to 1986, Dorothy Denning of Georgia University and Peter norann of sri/CSL developed a real-time Intrusion Detection System Model-ides (Intrusion Detection Expert System)

(3) in 1990, L. T. heberlein of the University of California, Davis, and others developed the NSM (Network Security Monitor)

-For the first time, the system directly uses network streams as the source of audit data. Therefore, the system can monitor heterogeneous hosts without converting audit data into a uniform format.

-The development history of the intrusion detection system has opened a new page. The two camps are formally formed: network-based IDS and host-based IDS.

(4) After December 1988, the United States conducted research on the Distributed Intrusion Detection System (dids), integrating host-based and network-based detection methods. Dids is a milestone in the history of Distributed Intrusion Detection Systems.

(5) from 1990s to the present, the development of Intrusion Detection Systems has been booming and has made great strides in both intelligent and distributed ways.

3. Basic IDs Structure

● Event generator: collects raw data, converts the collected raw data to an event, and provides the event to other parts of the system.

The collected information includes system or network log files, network traffic, abnormal changes in System directories and files, and abnormal behavior during program execution.

Note: Intrusion Detection relies heavily on the reliability and correctness of collected information.

● Event Analyzer: receives event information, analyzes it, determines whether it is an intrusion behavior or abnormal phenomenon, and finally converts the judgment result to an alarm information. There are three methods for analysis (Key Points ):

(1) pattern matching: Compare the collected information with the known network intrusion and system misuse Pattern Database to find the behavior against the security policy.

(2) Statistical Analysis: first, create a statistical description for the system objects (such as users, files, directories, and devices, measure the measurement attributes (such as the number of visits, operation failures, and latency) during normal use. The average value and deviation of the measurement attributes are used to compare with network and system behaviors, when any observed value is out of the normal range, it is deemed that an intrusion has occurred.

(3) Integrity Analysis (often used for post-event analysis): focuses on whether a file or object is changed.

● Event Database: stores various intermediate and final data.

● Response Unit: responds to alerts. (Strong response: disconnection, changing file attributes, etc.; simple alarm)

4. Key Parameters of Intrusion Detection Performance

(1) false positive: actually harmless events are detected as attack events by IDs.

(2) False negative: an attack event is not detected by IDS or is considered harmless by analysts.

5. Classification of Intrusion Detection

(1) classification based on analysis methods/detection principles

● Anomaly Detection: Based on statistical analysis principles. First, summarize the features (user profile) that normal operations should have, and try to describe them in a quantitative manner. When user activity and normal behavior deviate significantly, it is considered as an intrusion.

Premise: intrusion is a subset of abnormal activities. Indicator: low false negative rate and high false positive rate.

Profile: a collection of behavior parameters and their thresholds, used to describe the range of normal behavior.

Features: the efficiency of the exception detection system depends on the completeness of the user profile and the frequency of monitoring. It does not need to be defined for each type of intrusion behavior, so it can effectively detect unknown intrusion; the system can adjust and optimize user behavior changes. However, with the accuracy of the detection model, exception detection consumes more system resources.

● Misuse Detection: Based on the pattern matching principle. Collects abnormal operation behavior characteristics and establishes relevant feature libraries. When the monitored user or system behavior matches the records in the database, the system considers this behavior as an intrusion.

Premise: all intrusion behaviors have the characteristics that can be detected. Indicator: low false positives and high false negatives.

Attack feature database: When the monitored user or system behavior matches the records in the database, the system considers this behavior as an intrusion.

Feature: pattern matching is used. misuse can significantly reduce the false positive rate, but the false negative rate increases. Minor changes in attack features make misuse detection powerless.

(2) Data sources

● Host-based (HIDS): The system obtains data based on the host where the system runs, and the protection target is the host where the system runs.

Centralized field of view; easy to customize; more careful protection; not sensitive to network traffic;

● Network-based (NIDS): the data obtained by the system is packets transmitted over the network, protecting the normal operation of the network.

Fast detection speed; good concealment; wider field of view; fewer monitors; less resources

● Hybrid

(3) According to the architecture: centralized and distributed

(4) Working methods: Offline Detection and Online Detection

6. Basic Terms

● Alert: When an intrusion is being initiated or attempted, IDs will send an alert message to the system administrator.

● Signatures: the attack feature is the core of IDS, which triggers IDs when an event occurs.

If the feature information is too short, IDS is often triggered, leading to false positives or false positives. If the feature information is too long, the operation speed of IDS is affected.

● Promiscuous: if the network interface is in the hybrid mode, you can "see" all network traffic in the network segment, regardless of its source or destination. This is necessary for network IDs.

Intrusion Detection Technology (exception detection technology; misuse/misuse detection technology; intrusion deception technology; Intrusion Response Technology)

7. Exception Detection Technology

● Probability statistics exception detection

Principle: Each contour records the current behavior of the subject, and regularly merges the current contour with the historical contour to form a statistical contour (update). The abnormal behavior is determined by comparing the current contour with the statistical contour.

Advantage: Mature probability statistics theory can be applied

Disadvantages: ① due to the complexity of user behavior, it is very difficult to accurately match the historical behavior of a user, which may cause system false positives and false negatives;

② It is difficult to define the intrusion threshold. If the threshold is high, the false positive rate increases. If the threshold is low, the false negative rate increases.

● Neural network exception detection

Principle: The prediction error rate of the next event reflects the abnormal degree of user behavior to a certain extent.

Advantages: ① better expresses the non-linear relationship between variables and can better process random features of raw data, that is, no statistical assumptions are required for these data, and can automatically learn and update; ② has good anti-interference ability

Disadvantage: it is difficult to determine the network topology structure and the weight of each element.

8. misuse/Misuse Detection Technology (Principles and advantages and disadvantages of abuse detection methods in expert systems, status conversion analysis)

● Expert System abuse detection

Principle: The knowledge of security experts is expressed as the rule of the if-then structure (if part: the condition required by the intrusion; then part: the corresponding measures taken after the intrusion is discovered) form an expert knowledge base and use inference algorithms to detect intrusions.

Note: The main problem to be solved is to maintain the sequence data and knowledge base (only known vulnerabilities can be detected)

● Status switch analysis abuse detection

Principle: The intrusion process is considered as a behavior sequence, which leads to the transition of the system from the initial state to the compromised state. During analysis, the initial and intruded status of the system must be determined for each intrusion method, and the conversion conditions that lead to state conversion (Operations/feature events that must be performed when the system enters the intrusion State). Then, the state conversion chart is used to represent each State and feature event.

Disadvantage: Not good at analyzing overly complex events, nor detecting intrusions unrelated to system status

9. definition, characteristics and design objectives of intrusion deception technology; honeypot Technology

● Definition: attracts attackers with unique features, analyzes various attack behaviors of attackers, and finds effective countermeasures.

● Features: attempts to lure attackers from critical systems. Is an active defense technology.

● Design Objective: To extract useful information from various existing threats to discover new attack tools, determine attack modes, and study Attack motivations of attackers.

● Honeypot Technology (honeypot): a resource that is listened, attacked, or intruded. Note: honeypot is not a security solution. It is only a tool and can be used only when honeypot is under attack.

10. Intrusion Response Technology (forms and means of active and passive responses)

● Active response: after detecting intrusion, the intrusion detection system can block the attack and affect the attack process.

Form: user-driven; automatically executed by the System

Basic Means: ① counterattack against intruders (strict; moderate; between severe and moderate) ② correction of system environment ③ collection of additional information

● Passive response: the intrusion detection system simply reports and records detected problems.

Form: only provide information to the user and rely on the user to respond to the next action.

Basic Methods: ① alarm and notification ② SNMP (Simple Network Management Protocol), used in combination with network management tools.

11. Intrusion Detection System Structure (features, advantages and disadvantages of Host Intrusion Detection, network intrusion detection, and distributed intrusion detection)

● Host Intrusion Detection (HIDS)

Features: detects and responds to intrusions from hosts or server systems.

Main advantages: high cost performance; more delicate; low false positive rate; suitable for encryption and exchange environments; not sensitive to network traffic; Determine whether the attack is successful.

Limitations: ① It depends on the inherent log and monitoring capabilities of the host, and the host audit information has weaknesses: it is vulnerable to attacks and intruders can try to escape the audit;

② The operation of IDS affects the host performance more or less;

③ HIDS can only detect the actions and logs of specific users and applications on the host, and the types of attacks that can be detected are limited;

④ It is costly to fully deploy HIDS.

● Network intrusion detection (NIDS)

Project HIDS NIDS

A certain amount of false positives

Underreporting is related to technical level and data processing capability (inevitable)

System deployment and maintenance are not related to the network topology.

A large number of detection rules

Feature event detection and signal analysis feature code analysis

Security Policy Basic Security Policy (Point Policy) Operation Security Policy (Line Policy)

Security restrictions: non-encrypted and non-confidential information transmitted to all events on the host

Attack methods or methods for security hazards and violations

Feature: Uses NICs working in the hybrid mode to monitor communication services on the entire network segment in real time.

Main advantages: Good concealment; real-time detection and response; difficult for attackers to transfer evidence; no impact on the business system; ability to detect unsuccessful attack attempts.

Limitations: ① only detects communications directly connected to CIDR blocks, and cannot detect network packets in different CIDR blocks;

② The detection range is limited in the switched Ethernet environment;

③ It is difficult to implement complex attack detection that requires a large amount of computing and analysis time;

④ Difficult to process encrypted sessions

● Distributed Intrusion Detection (dids)

Generally, it is composed of multiple components that work collaboratively. These components are distributed in various parts of the network to complete relevant functions, such as data collection and data analysis. Collect, analyze, and respond to intrusions through the control components of the center.