The Intrusion Detection System (IDS) is a new generation of security defense technology developed over the past decade. It collects and analyzes information from several key points in a computer network or system, whether there are violations of security policies and signs of attacks. This is a dynamic security technology that detects, records, alerts, and responses. It not only detects external intrusions, but also monitors unauthorized activities of internal users. IDS technology faces three major challenges.
I. How to improve the detection speed of the intrusion detection system to meet the requirements of network communication.
The processing speed of network security equipment has always been a major bottleneck affecting network performance. Although IDS are usually connected to the network in parallel, if the detection speed cannot keep up with the transmission speed of network data, then, the detection system will miss some of the data packets, which leads to the omission and affects the accuracy and effectiveness of the system. In IDS, each packet of the network is intercepted, and it takes a lot of time and system resources to analyze and match the attack characteristics, therefore, most of the existing IDS only have dozens of megabytes of detection speed. with the large number of applications of hundreds of megabytes or even Gigabit Networks, the development speed of IDS technology is far behind the development of network speed.
2. How to reduce false positives and false positives of the intrusion detection system to improve its security and accuracy.
IDS Based on the pattern matching analysis method expresses all intrusion behaviors, methods, and variants as a pattern or feature, and checks whether the collected data features appear in the intrusion Pattern Library, therefore, in the face of the emergence of new attack methods and the release of new vulnerabilities every day, the failure to update the attack feature library in time is a major cause of IDS omission. However, the anomaly detection-based IDS uses traffic statistical analysis to establish the track of normal system behavior. When the system running value exceeds the normal threshold, the system may be attacked, this technology itself leads to a high false positive rate of false positives. In addition, most IDS are based on a single packet check, and the protocol analysis is not enough. Therefore, they cannot identify disguised or deformed network attacks and cause a large number of false negatives and false positives.
3. How to improve the interaction performance of the intrusion detection system to improve the security performance of the entire system.
In a large network, different parts of the network may use a variety of intrusion detection systems, and even firewall, vulnerability scanning, and other types of security devices, how to exchange information between these intrusion detection systems and between IDS and other security components to collaborate to discover, respond to, and prevent attacks is an important factor in the security of the entire system. For example, routine test attacks of vulnerability scanning programs should not trigger IDS alarms. However, if a source address is forged for attack, the firewall may close the service and cause a denial of service, this is also an issue that needs to be considered by the interactive system.