[Network security 3] Basic Intrusion Detection Technology

1. The existence and development inevitability of IDS (Intrusion Detection System) (1) complexity of network security itself, and passive defense methods are not powerful. (2) related firewalls: devices with network boundaries can be attacked by themselves, and some attacks are poorly protected. Not all threats come from outside the firewall. (3) Easy intrusion: Intrusion tutorials can be seen everywhere; various tools are at your fingertips; 2. Intrusion Detection ● definition: by using a computer NetworkOr computer SystemTo collect and perform AnalysisIt is a security technology that detects violations of security policies and signs of attacks on networks or systems. ● Origin: (1) 1980, James P. anderson's "computer security threat monitoring and surveillance" first elaborated on the concept of intrusion detection, and proposed the classification of computer system threats; the idea of using audit tracking data to monitor intrusion activities is put forward. This report is widely recognized as the launch of intrusion detection. (2) from 1984 to 1986, Dorothy Denning of Georgia University and Peter norann of sri/CSL developed Real-timeIntrusion Detection System Model-- IDES (Intrusion Detection Expert System) (3) in 1990, L. T. heberlein of the University of California, Davis, and others developed the NSM (Network Security Monitor)-the system's first DirectSet Network FlowAs a source of audit data, the development history of monitoring heterogeneous hosts-intrusion detection systems without converting audit data into a uniform format has opened a new page. The two camps are formally formed: Network-basedIDS and Host-BasedIDS (4) after January 1, 1988 DistributedThe Research of the intrusion detection system (dids) integrates host-based and network-based detection methods. Dids is a milestone in the history of Distributed Intrusion Detection Systems. (5) from the 1990s s to the present, the development of Intrusion Detection Systems has been booming and IntelligentAnd DistributedSignificant progress has been made in both directions. 3. Basic Structure of IDS ● event generator: responsible for collecting raw data and collecting the collected raw data ConversionIs EventTo provide this event to other parts of the system. The collected information includes system or network log files, network traffic, abnormal changes in System directories and files, and abnormal behavior during program execution. Note: Intrusion Detection relies heavily on information collection. ReliabilityAnd Correctness. ● Event Analyzer: Receive Event information, Analyze it, JudgmentIs it IntrusionBehavior or ExceptionPhenomenon, and finally convert the judgment result Alarm information. There are three analysis methods (Key Points)(1) pattern matching: match the collected information KnownNetwork Intrusion and system misuse DatabaseTo find behaviors that violate the Security Policy (2) Statistical Analysis: first System Object(Such as users, files, directories, and devices) to create a statistical description, Measure the measurement attributes of normal use.(Such as the number of visits, the number of failed operations, and the delay); measure the attribute Average ValueAnd DeviationWill be used to compare with network and system behavior, any When the observed value is out of the normal range, it is deemed that an intrusion has occurred.. (3) Integrity Analysis (often used Post-event analysis): Main Check whether a file or object has been changed. ● Event Database: stores various intermediate and final data. ● Response Unit: responds to alerts. (Strong response: disconnection, changing file attributes, etc.; simple alarm) 4. key Parameter of intrusion detection performance (1) false positive: the actual harmless event is detected as an attack event by IDs. (2) False negative: an attack event is not detected by IDS or is considered harmless by analysts. 5. Classification of intrusion detection (1) classification by analysis method/detection principle ● Anomaly Detection: Based on Statistical AnalysisPrinciple. First, summarize the features that normal operations should have ( User Profile), Trying to describe it in a quantitative way, It is considered as an intrusion when user activities deviate significantly from normal behaviors.. Premise: intrusion is a subset of abnormal activities. Indicator: low false negative rate and high false positive rate. Profile: a collection of behavior parameters and their thresholds, used to describe the range of normal behavior. Features: the efficiency of the exception detection system depends on the completeness of the user profile and the frequency of monitoring. It does not need to be defined for each type of intrusion behavior, so it can effectively detect unknown intrusion; the system can adjust and optimize user behavior changes. However, with the accuracy of the detection model, exception detection consumes more system resources. ● Misuse Detection: Based on Pattern MatchingPrinciple. Collection Abnormal operationBehavior characteristics, establish relevant Feature LibraryWhen the monitored user or system behavior is consistent with the records in the database MatchThe system considers this behavior as an intrusion. Premise: all intrusion behaviors have the characteristics that can be detected. Indicator: low false positives and high false negatives. Attack feature database: When the monitored user or system behavior matches the records in the database, the system considers this behavior as an intrusion. Feature: pattern matching is used. misuse can significantly reduce the false positive rate, but the false negative rate increases. Minor changes in attack features make misuse detection powerless.(2) Data Source classification ● host-based (HIDS ): BasisIs where the system runs Host, Protected TargetIt is also where the system runs Host. Centralized view; easy to customize; more well-protected; not sensitive to network traffic; ● network-based (NIDS): the data obtained by the system is Packets transmitted over the networkWhich protects Normal network operation. Fast detection speed; good concealment; wider field of view; fewer monitors; less resources ● hybrid (3) According to the architecture: centralized; distributed (4) according to the working method: offline detection; online Detection 6. basic terms ● alert: When an intrusion is occurring or attempted, IDs will send an alert message to the system administrator ● signatures (features): Attack features are the core of IDs, it triggers IDs when an event occurs. If the feature information is too short, IDS is often triggered, leading to false positives or false positives. If the feature information is too long, the operation speed of IDS is affected. ● Promiscuous: if the network interface is in the hybrid mode, you can "see" all network traffic in the network segment, regardless of its source or destination. This is a necessary Intrusion Detection Technology for network IDS (exception detection technology; misuse/misuse detection technology; intrusion deception technology; Intrusion Response technology) 7. exception Detection Technology ● probability statistics anomaly detection principle: each profile stores records the current behavior of the subject and TimingCombine the current contour with the historical contour to form Statistical Contour(Updated), compares the current profile with the Statistical Profile to determine abnormal behavior. Advantage: Mature probability statistics theory can be applied. Disadvantages: ① due Complexity of user behaviorIt is very difficult to accurately match the historical behavior of a user, which may cause system false positives and false negatives. ② Definition Intrusion thresholdIt is difficult. If the threshold is high, the false positive rate increases. If the threshold is low, the false negative rate increases. ● Neural network exception detection principle: prediction of the next event Error RateTo some extent, it reflects the abnormal degree of user behavior. Advantages: ① better expresses the nonlinear relationship between variables and can better process the original data Random featuresThat is, no statistical assumptions need to be made for the data, and automatic learning and updating can be performed. ② good anti-interference ability disadvantages: difficult to determine the network topology structure and the weight of each element 8. misuse/Misuse Detection Technology (Principles and advantages and disadvantages of abuse detection methods in expert systems, status conversion analysis) ● principle of Misuse Detection in Expert Systems: the knowledge of security experts is expressed as the rules of the if-then structure (if part: the conditions required by the intrusion; then part: the corresponding measures taken after the intrusion is discovered ). Expert Knowledge BaseAnd then use the inference algorithm to detect intrusions. Note: The main problem to be solved is to process the sequence data and knowledge base. Maintenance(Only known vulnerabilities can be detected) ● state switch analysis abuse detection principle: the intrusion process is considered as Behavior sequence, This behavior sequence causes the system Initial statusTransfer in Intrusion status. During analysis, the initial and intruded status of the system must be determined for each intrusion method, and the conversion conditions that lead to state conversion (Operations/feature events that must be performed when the system enters the intrusion State). Then, the state conversion chart is used to represent each State and feature event. Disadvantages: Not good at analyzing overly complex events, nor detecting and System statusIndependent intrusion 9. definition, characteristics, and design objectives of intrusion deception technology; honeypot technology ● definition: Use unique features Attract attackersAt the same time, attackers can analyze various attack behaviors and find effective countermeasures. ● Features: attackers attempt Key systemsTemptation. Yes Active Defense Technology. ● Design objective: Various threatsTo find the new Attack tools, determining attack modes, and studying the attacker's attack motives. ● Honeypot Technology (honeypot ): Listened, AttackedOr already Intruded. Note: Honeypot Not a Security SolutionIt is only a tool, and its role can be played only when the honeypot is under attack. 10. Intrusion Response Technology (forms and means of active response and passive response) ● active response: after detecting intrusion, the intrusion detection system can BlockAttack, affecting and changing the attack process. Form: user-driven; basic means of automatic execution of the system itself: ① counterattack against intruders (harsh mode; mild mode; between severe and moderate) ② correct system environment ③ collect additional information ● passive response: the intrusion detection system simply ReportAnd RecordProblems detected. Form: only provide information to the user and rely on the user to respond to the next action. Basic Methods: ① alarm and notification ② SNMP (Simple Network Management Protocol), used in combination with network management tools. 11. Intrusion Detection System Structure (Host Intrusion Detection, network intrusion detection, and distributed intrusion detection features, advantages and disadvantages) ● Host Intrusion Detection (HIDS) features: Host or server systemTo detect and respond to intrusions. Main advantages: high cost performance; more delicate; low false positive rate; suitable for encryption and exchange environments; not sensitive to network traffic; Determine whether the attack is successful. Limitations: ① It depends on the inherent log and monitoring capabilities of the host, and the host audit information has weaknesses: it is vulnerable to attacks and intruders can try to escape the audit; ② The operation of IDS affects the host performance more or less. ③ HIDS can only detect the actions and logs executed by specific users and applications of the host. The types of attacks that can be detected are restricted.; ④ It is costly to fully deploy HIDS. ● Network intrusion detection (NIDS)

Project	HIDS	NIDS
False alarm	Less	Quantity
Underreporting	Related to technical level	Related to data processing capabilities (inevitable)
System deployment and maintenance	Independent from network topology	Related to network topology
Detection rules	Small	Large
Detection features	Event and Signal Analysis	Feature code analysis
Security Policy	Basic Security Policy (Point Policy)	Operation Security Policy (Line Policy)
Security restrictions	All events that arrive at the host	Non-encrypted and non-confidential information during transmission
Security risks	Violation	Attack methods or techniques

Features: The use of work in a hybrid mode NicCome Real-time MonitoringCommunication Services on the entire network segment. Main advantages: Good concealment; real-time detection and response; difficult for attackers to transfer evidence; no impact on the business system; ability to detect unsuccessful attack attempts. limitations: ① only detects communication that is directly connected to the network segment, and cannot detect network packets in different network segments; ② the detection range is limited in the switched Ethernet environment; ③ it is difficult to implement complex attack detection that requires a large amount of computing and analysis time; ④ it is difficult to process encrypted sessions ● Distributed Intrusion Detection (dids) generally, it is composed of multiple components that work collaboratively. These components are distributed in various parts of the network to complete relevant functions, RespectivelyProceed Data collection, Data Analysis. Pass Central control componentCollects, analyzes, and responds to intrusions. -- This document is summarized by heki.