IDS Intrusion Feature Library Creation instance resolution (2)

5. Publish the best feature winner"

From the above four candidate objects, we can select one as header-based feature data, or multiple combinations as feature data.

Selecting a data item as a feature has great limitations. For example, a simple feature can be a packet with only SYN and FIN signatures, although this can be a good reminder that we may have a suspicious behavior, however, we cannot provide more information about the cause. SYN and FIN are usually combined to attack protection walls and other devices. As long as they appear, they indicate that scanning is happening, information is being collected, and attacks are about to begin. However, we only need more details.

It is not realistic to select the four data items as features, because it seems a little special. Although it can provide precise behavior information, it is much less efficient than simply using one data as a feature. In fact, feature definitions always have to compromise between efficiency and accuracy. In most cases, simple features tend to be false positive (false positives) More than complex features, because the former is common, and complex features tend to be false negative (false negatives) than simple features ), because the former is too comprehensive, a feature of the attack software will change with time.

It cannot be more or less, but it should be determined by the actual situation. For example, if we want to determine what tools the attack may use, what other attributes do we need besides SYN and FIN flags? Although the port is suspicious, many tools use it, and some normal communication also has this phenomenon, so it is not suitable for selecting a feature. TCP window size 1028 although a little suspicious, but it will also happen naturally. The same is true for the IP Address Identification Number 39426. The ACK value without the ACK mark is obviously illegal, so it is very suitable for selecting feature data. Of course, adjusting or combining feature data in a timely manner based on different environments is the best way to achieve the best effect.

Next, we create a feature to find and determine the following attributes in each TCP packet sent by synscan:

Only SYN and FIN flags are set.
The IP identification number is 39426.
The TCP window size is 1028

The first project is too common, and there are not many scenarios where the second and third projects are associated with the same data packet. Therefore, the three project teams can combine to define a detailed feature. In addition, other synscan attributes will not significantly improve the feature accuracy, but will only increase resource consumption. By now, the features of the synscan software have been created.

6. Broaden the "social relationship" of features and create features for identifying more abnormal communications

The features created above can be used to detect the standard synscan software. However, synscan may have multiple "face changes", and other tools may also be "changeable". In this way, the features created above cannot be identified one by one. In this case, we need to combine special features and general features to create a better and more comprehensive solution. If an intrusion detection feature can reveal known "bad guys" and predict "potential criminals", its charm will be greatly improved.

First, let's take a look at the data information features sent by a face-changing synscan:

Only the SYN flag is set, which is a normal TCP packet "appearance ".
The TCP window size is always 40 instead of 1028. 40 is a rare small window size in the initial SYN information package, which is much less common than the normal value of 1028.
Port 53 rather than 21. The old version of BIND uses the "reverse" port for special operations, and the new version of BIND does not use it. Therefore, we often see this information, which makes us very skeptical.

The above three types of data are similar to the data produced by the standard synscan. Therefore, we can preliminarily infer that the tool that generates the data is either different versions of synscan, or other tools based on the synscan code. Obviously, the previously defined feature cannot recognize this "face change" because the three feature sub-items are completely different. At this time, we can take three methods:

Create a special feature that matches the content separately.
Adjust Our detection targets to focus only on common abnormal behaviors, rather than special abnormal behaviors, and create general features for identifying common abnormal behaviors.
Both 1 and 2 are created. They both completely spread the Internet and focus on fishing. Real criminals will be arrested and suspicious elements will not run.

Common features can be created as follows:

No validation flag is set, but the validation value is not 0 for TCP packets.
Only TCP packets with SYN and FIN flag configured.
TCP data packets whose initial TCP window size is lower than a certain value.

With the above general features, the two exception data packets mentioned above can be effectively identified. It seems that the net is a good fish.

Of course, if you need more detailed detection, you can create a special feature by adding personal data to these general features. From that point of view, what features are created and what features are created depend on actual needs. Is practice the only criterion for detecting which features are created!
VII. Summary of key elements in the header value and analysis of information packet types
 
From the examples discussed above, we can see multiple header values that can be used to create IDS features. Generally, the following elements are most likely to be used to generate header-related features:

IP addresses, especially reserved addresses, non-route addresses, and broadcast addresses.
The port number that should not be used, especially the well-known protocol port number and Trojan port number.
Exception information package.
Special TCP flag combination value.
ICMP bytes or code that should not appear frequently.

Knowing how to use header-based feature data, next we need to determine which information package to check. The criteria are determined based on actual needs. Because ICMP and UDP packets are stateless, you need to check each of their "subordinates" in most cases. The TCP information package has a connection status, so sometimes you can only check the first information package in the connection. For example, features such as IP addresses and ports will remain unchanged in all connected packets, so you can check them only once. Other features, such as the TCP flag, are different in different packets during the dialog process. To find a special flag combination value, you need to check each packet. The more you check, the more resources and time you consume.

We also need to know that it is more convenient to focus on TCP, UDP, or ICMP header information than DNS header information. Because TCP, UDP, and ICMP all belong to the IP protocol, their header information and load information are located in the payload part of the IP data packet. For example, to obtain the TCP Header Value, first parse the IP header, then we can determine that the "father" of this load is TCP. For a protocol like DNS, it is included in the UDP and TCP packet loads. If you want to obtain DNS information, you must go deep into Layer 2 to see the truth. In addition, parsing such protocols requires more complex programming code, which is not as simple as TCP. In fact, this resolution operation is also the key to distinguishing different protocols. The evaluation of the IDS system is also reflected in whether more protocols can be well analyzed.

VIII. Conclusion

This article gives a detailed introduction to how to customize the key component feature database of IDS. I believe you have a better understanding of this. Intruders are always cunning and changeable. We cannot keep the steel knives in Our Hands blank. We need to sharpen it and modify it frequently. Only then can the intruders be shocked with fear!