The main target of hacker attacks is the user terminal. If the intrusion detection system cannot work well with the operating system kernel, there will be more and better products, which is also a permanent cure.
There are three mainstream Intrusion Detection Methods
Generally, intrusion detection systems are divided into three types based on their working principles: network-based intrusion detection systems, host-based intrusion detection systems, and distributed intrusion detection systems. Among them, the first two are the most widely used, and most domestic products are based on this working principle. The network-based intrusion detection system detects data from packets in the network and has nothing to do with hosts in the protected network segment. It has a wide range of applicability, generally, the network traffic and the performance of the protected host are not affected. The data detected by the Host Intrusion Detection System comes from system logs and audit records, and is related to the operating system of the protected host, therefore, it is generally only applicable to protecting specific computers.
The distributed intrusion detection system works in a new way. Currently, this technology has been applied in products such as RealSecure of ISS. The data it detects also comes from data packets in the network. The difference is that it uses distributed detection and centralized management. That is, a black box is installed in each CIDR block. The black box is equivalent to a network-based intrusion detection system, but there is no user interface. The black box is used to monitor data streams in the network segment. It analyzes and detects network data based on the security policies and response rules set by the centralized security management center, and sends security event information back to the centralized security management center. The centralized security management center is the user-oriented interface of the entire distributed intrusion detection system. It features a large range of data protection, but has a certain impact on network traffic.
Domestic products need to be improved in terms of false negative rate
Currently, the most famous intrusion detection systems in the world include RealSecure of ISS and Dragon of Enterasys. They integrate the host-based and network-based intrusion detection technology to expand the detection data source, reduce the false negative rate, and better detect attacks against the host. However, the implementation of this method is extremely difficult. Considering the differences between different computer operating systems in the network, the data format needs to be converted to achieve unification. These products provide relatively stable system performance and fast feature Knowledge Base update.
There are also many intrusion detection systems produced by Chinese companies, such as the Guanghua S-Audit network intrusion detection and Security Audit System V3.0 of Shanghai Fudan Guanghua Information Co., Ltd., the hacker star of Changzhou Far East Technology Co., Ltd., and the Information Industry Company of Changsha Tianyi galaxy Co., Ltd. "Tianyi Falcon intrusion detection system (V1.0) the eagleeye Network Security Monitor of Shanghai sanzhi guardian Information Security Co., Ltd. and KIDS Ver3.0 of Shanghai jinnuo network security. Their architecture is similar and their performance does not differ much. The following attack events can be detected, for example, most scans, sniffing, backdoors, viruses, denial of service, distributed denial of service, unauthorized access, and spoofing. Most of them are misuse detection analysis methods, so some of them have relatively high false negative rate and feature Knowledge Base updates are relatively slow.
Intrusion detection should be bound to the Operating System
The inherent defect of the current intrusion detection product is that it is not tightly integrated with the operating system. This makes it difficult to detect new and hidden attack methods and technologies, even for the same attack method and technology, if the change is more complex, it is difficult to find out. They cannot determine the extent to which the hacker attacked the system. For example, whether the hacker's current attack threatens the system or whether the hacker has the system's permissions, whether a hacker controls a system or not. Generally, as long as there is an attack, the intrusion detection system will issue an alarm, which may be exploited by hackers to continuously send packets with attack characteristics, although there is no danger to the attacked object, the intrusion detection system can be drowned in an alarm, thus invalidating the intrusion detection system. In addition, they will also check the content of the data packet, so for encrypted data packets, this part of the function is invalid.
Because the original intention of the computer network was to facilitate communication and make full use of resources, the security issues were not taken into account at the beginning of its development. Therefore, when a network security accident occurred, to take remedial measures, and this remedy is an addition, such as the popular firewall and intrusion detection system, which rarely involves the modification of communication protocols. At the beginning of the operating system's appearance, security was rarely taken into account. For example, the core of the operating system is memory management, process management, and file management. It only considered how to effectively manage resources, did not add how to cope with this feature when being attacked by hackers. This has resulted in many security risks in the transmission and terminal sections. Due to the huge system, a large number of vulnerabilities are inevitable. Because the target of hacker attacks is mainly the terminal part, it is best to combine the intrusion detection system with the operating system kernel. The current lids has carried out in-depth research in this regard, otherwise, no matter how well you do it, it is also a permanent cure.
Two common data analysis methods
The intrusion detection system has two common methods for data analysis: Misuse Detection and exception detection. Misuse Detection compares the collected data with various attack modes in the pre-determined feature knowledge base. If an attack feature is found, an attack is detected. A feature knowledge base is a knowledge base built by extracting known attack methods and technical features.
Exception detection performs statistical analysis on collected data. It first assumes that all attack behaviors are different from normal behaviors. In this way, if there is a difference between the attack and normal behavior, an attack is determined. This requires the establishment of a standard for normal behavior, such as logon when the number of errors is small, it is considered normal.
In contrast, misuse detection is simple, easy to configure, and feature knowledge base is easy to expand, but it has a fatal weakness-only known attack methods and technologies can be detected. Exception detection can detect known and unknown attack methods and technologies. The problem is that normal behavior standards can only be generated using artificial intelligence, machine learning algorithms, and so on, and require a large amount of data and time, at the same time, artificial intelligence and machine learning algorithms are still in the research stage. Therefore, most intrusion detection systems use misuse detection methods.