How IDs products will evolve

Questions raised:

Intrusion Detection (IDS) is a special security device that is used to discover hacker intrusion. Early in the time is very simple, is a log analyzer, like a needle in the log to extract the hacker's visit records; Later, the hacker learned to be good, before leaving their own "stain" record all erased; The record is gone, log analysis is hard to find hackers Of course, some novice hackers do not have this awareness and ability. Now that the log analysis becomes an insider's audit tool for irregularities, you can imagine how hard it is for an auditor to find a "bad guy", like a implying, in the face of a mountain of log information.

In order to find hackers, IDs began to collect "raw" network traffic, its own analysis (traffic is real-time, hackers do not have the means to generate traffic). Since then, IDS products began to "split", in the computer collects the network card traffic to analyze is called the host IDs; from the network switch, or directly from the physical link "replication" traffic is called the network IDs; Analysis technology is to restore the original data to the user access process, analysis of the visitor's behavior is abnormal, found that the fingerprint and characteristics of hacker tools, technically known as Application Protocol resolution (standard protocols such as HTTP, FTP, SMTP, Telnet, etc., the new popular application protocols such as Peer-to-peer, MSN, etc.).

The key to detecting and evading technology is the recognition capability of IDs, IDS vendors collect hacker "fingerprint feature" and "behavior pattern", put them in the attack database, and constantly upgrade; see seemingly on the alarm, "rather error, not let go", from the nearly 10 years of attack and defense in the tug of battle, Attacks the database is bigger and bigger, but the hacker transforms with the camouflage speed to be quicker, the hacker starts to use the program automatic generation innumerable new "characteristic", the new appearance hundreds of thousands of each day quickly, can not only confuse the detector, moreover lets the guard not have time to upgrade is outdated ...

Recognition becomes more and more difficult, some security manufacturers launched the so-called Active defense, is in the attacker's identification at the same time, first of their own application to filter, their own "house" is very easy to clean up, not my records allowed here, it must be foreign, suspicious, first isolated. In the face of endless new ideas on the Internet, the active defense to protect their own some of the old net also some "powerless."

Intrusion detection products in the core technology appeared "bottleneck", in the usability of the "massive event crisis", the next step of the product should be how to evolve, is the natural elimination, or "mutation" after rebirth?

The way we deal with hackers:

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

Strategically, there are two ways to deal with hackers: one is to install the "anti-theft door", some "rookie" level of attack outside the door, we common FW, IPS, UTM is this way, this approach to deal with senior hackers is obviously not, even the door can not enter, but also talk about what the master? The second is the deployment of "camera", monitoring the "Everyone" behavior, found close to the "vault" on the alert, in line with the "wanted" characteristics of the "catch up", which is what we say IDs.

There is also a technical difference between the two approaches: anti-theft door is necessary to stop in the network path, the so-called "Yiffang", found that the attackers immediately blocked, to prevent its entry into the door, but the performance requirements of series equipment is very high, network traffic in the exponential level of the year, and then the main gate way to continue to observe a visitor , the camera is the bypass monitoring, parallel processing, can be a long time to track the connection analysis, does not affect the business itself, found problems in time to alarm. Although there are two measures to detect the characteristics of hackers, it is obvious that the latter is more suitable for long time tracking and relevance analysis, suitable for the monitoring of behavior, can be used to deal with advanced hackers, of course, the product users of their own ability to better.

However, in recent years, with the progress of hacker attack technology, the information needs to be analyzed on the network gradually change, mainly for the following reasons:

The hacker uses the special information Channel (unknown protocol) to direct his "zombie network", or chooses the multistage springboard, then detects and invades with the other person's identity, this method detection uses the standard protocol to parse obviously is not enough;

Peer-to-peer technology is popular, the use of standard protocols to host the private protocol of the semi-encrypted connection is very common, so that the role of "anti-theft door" more and more small, security for camera monitoring more and more dependence;

To conceal one's true purpose by "making" false traffic of the same kind. For example, full street people suddenly wear a clothing, or to do the same thing, even if it is illegal, but in the FARB environment, it is difficult to notice the real hacker is.

With the appearance of this kind of environment, more and more kinds of equipment are detected on the network, such as abnormal flow monitoring, worm Trojan Monitor, DDoS attack monitoring and so on in the market. Worm monitoring is the Internet operators are very concerned about, as a network bearer, can not directly block the user's data, but the network Trojan, worm, virus dynamic monitoring, is for high-end users to provide the basis for security.

What these new changes have in common is that most of the monitoring is the use of bypass replication traffic, background data analysis.