I. Intrusion Detection System Analysis
1.1 What is an intrusion detection system
Intrusion refers to any attempt to endanger the integrity, confidentiality, or availability of computer resources. Intrusion detection, as its name implies, is the discovery of intrusion behaviors. It collects information from several key points in a computer network or system and analyzes the information to detect whether there are violations of security policies and signs of attacks on the network or system. The combination of the software and hardware used for intrusion detection is the Intrusion Detection System (IDS ). Unlike other security products, the intrusion detection system requires more intelligence. It must be able to analyze the data and produce useful results. A qualified intrusion detection system can greatly simplify the work of administrators and ensure secure network operation.
1.2 classification of Intrusion Detection Systems
IDS can be divided into host-based IDS and network-based IDS Based on different data sources used for detection.
Host-based IDS use various audit logs, such as host logs, router logs, and firewall logs, as the data sources for detection. Generally, host-based IDS can monitor security records and system records in systems, events, and operating systems. When files change, IDS compares new record entries with attack tags to see if they match. If yes, the system sends an alarm to the Administrator to take measures.
The network-based intrusion detection system uses the original network packet as the data source. Network-based IDS usually use a network adapter running in hybrid mode to monitor and analyze all communication services through the network in real time. Once an attack is detected, the IDS response module responds to the attack, such as notifying the administrator, interrupting the connection, and terminating the user.
1.3 Intrusion Detection Methods
By studying the process and characteristics of intrusion behaviors, the intrusion detection technology enables the security system to respond to intrusion events and intrusion processes in real time. There are two detection methods: misuse intrusion detection and exception intrusion detection.
In misuse intrusion detection, assuming that all intrusion behaviors and methods can be expressed as a pattern or feature, all known intrusion methods can be found by matching methods. The key to misuse intrusion detection is how to express the intrusion mode and distinguish real intrusion from normal behavior. The advantage is that there are few false positives, but the limitation is that it can only discover known attacks and cannot do anything about unknown attacks.
In the Abnormal Intrusion detection, it is assumed that all intrusion behaviors are different from normal behaviors. In this way, if the track of normal system behavior is established, in theory, all system states that are different from normal tracks can be considered suspicious attempts. For example, abnormal network traffic during abnormal time is considered suspicious through traffic statistical analysis. The limitation of anomaly intrusion detection is that not all intrusions are abnormal, and the trajectory of the system is difficult to calculate and update.
Comparing the two detection methods, we can find that anomaly detection is difficult to quantitatively analyze. This detection method has inherent uncertainty. In contrast, misuse detection follows the defined pattern. It can detect audit record information by matching the pattern, but it can only detect known intrusions. Therefore, these two types of detection machines are not perfect. As for the specific detection method, there are already many intrusion detection methods, but any method has its limitations and cannot solve all the problems. Therefore, the research on intrusion detection methods is still the focus of the current research on intrusion detection.
II. Implementation in Linux
Based on the research on intrusion detection technology, we designed and implemented a network-based Intrusion Detection System in Linux.
2.1 system composition
The system structure 1 is shown in. The module collects original network data streams from the network. After some preprocessing, the data is sent to the data analysis module for analysis, in order to determine whether there is any intrusion that violates the security policy. The analysis results are sent to the alarm module in a timely manner, and the alarm module generates alarm information to the console. You can interact with the console through the user interface. On the console, you can configure each module and receive alarm information.