Introduction to Intrusion Detection Systems
Chapter 1 concept of Intrusion Detection System
As more and more companies transfer their core services to the Internet, network security is an unavoidable problem. Traditionally, companies generally adopt firewalls as the first line of defense for security. With the increasingly sophisticated knowledge of attackers and the increasingly complex and diverse attack tools and techniques, Simple Firewall policies cannot meet the needs of highly sensitive security departments, network Defense must adopt a variety of in-depth methods. At the same time, today's network environment is becoming more and more complex. A variety of complex devices need to be constantly upgraded and leaked systems to make the work of network administrators more and more intensive, accidental negligence may cause major security risks. In this environment, intrusion detection systems have become a new hot spot in the security market. Not only have they received more and more attention, but they have begun to play a key role in different environments.
Intrusion in this article is a broad concept, including not only the attackers (such as malicious hackers) who have obtained control of the system beyond the legal scope, it also involves collecting vulnerability information, resulting in denial of access (Denial of Service) and other behaviors that cause harm to computer systems.
Intrusion detection, as the name suggests, is the discovery of intrusion behaviors. It collects and analyzes several key points in a computer network or computer system to find out whether the network or system violates security policies and shows signs of attacks. The combination of the software and hardware used for intrusion detection is the Intrusion Detection System (IDS ). Unlike other security products, the intrusion detection system requires more intelligence. It must be able to analyze the data and produce useful results. A qualified intrusion detection system can greatly simplify the work of administrators and ensure secure network operation.
Specifically, the main functions of the intrusion detection system include:
A. Monitor and analyze user and system activities;
B. Check System configurations and vulnerabilities;
C. Evaluate the integrity of key system resources and data files;
D. Identify known attack behaviors;
E. Statistical Analysis of Abnormal behaviors;
F. Manage operating system logs and identify user activities that violate security policies.
Due to the rapid development of the market of intrusion detection systems in recent years, many companies have invested in this field. In addition to ISS, Axent, NFR, Cisco, and other foreign companies, there are also several domestic companies (such as Zoomlion Green Alliance and CCO netwei) launched their own products. However, at present, the intrusion detection system still lacks relevant standards. At present, there are two organizations trying to standardize IDs: Intrusion Detection Working Group (IDWG) and Common Intrusion Detection Framework (cidf) of IETF, but the progress is very slow, there are no widely accepted standards.
Chapter 2 Intrusion Detection System Model
2.1 cidf Model
L event generators)
L event analyzers
L Response Units)
L event Database)
Cidf collectively refers to the data to be analyzed by IDS as an event. It can be a packet in the network or information obtained from other channels such as system logs.
The event generator is designed to obtain an event from the entire computing environment and provide it to other parts of the system. The event analyzer analyzes the data and generates analysis results. The Response Unit is a functional unit that responds to the analysis results. It can make a strong response, such as disconnecting and changing file attributes, or simply generate an alarm. The event database is a general term for storing various intermediate and final data. It can be a complex database or a simple text file.
In this model, the first threeProgramAnd the last one is usually a file or data stream.
In otherArticleData collection, analysis, and console are often used to replace the terms "event generator", "event analyzer", and "Response Unit. Common logs are used to easily refer to the event database. Unless otherwise specified, the two sets of terms in this article have the same meanings.
2.2 IDs Classification
Generally, intrusion detection systems can be classified into Master and network models.
Host-Based Intrusion Detection Systems often use system logs and application logs as data sources. Of course, you can also collect information from the host through other means (such as monitoring system calls) for analysis. The Host Intrusion detection system generally protects the system.
The data source of the network-type intrusion detection system is data packets on the network. A sub-network card is usually set to promisc mode, listening to all packets in this segment and making judgments. Generally, the network-type intrusion detection system is responsible for protecting the entire network segment.
It is not hard to see that the main advantage of network-type IDs is simplicity: Only one or several such systems can be installed on a network segment to monitor the entire network segment. Because such applications are often implemented by separate computers, it will not increase the load on hosts running key services. However, due to the increasing complexity of networks and the popularization of high-speed networks, this structure is facing increasing challenges. A typical example is switched Ethernet.
However, although the disadvantages of host-type IDs are obvious: different programs must be developed for different platforms, the system load must be increased, and a large number of installations are required, the internal structure is not bound, at the same time, the functions provided by the operating system and exception analysis can be used to more accurately report attack behavior. Refer to [7]. For more information, see.
Several components of the intrusion detection system are usually located on different hosts. Generally, three machines run the event generator, event analyzer, and Response Unit. When installing IDS, the key is to select the location of the data collection part because it determines the visibility of the "event.
For host-type IDs, the data collection part is of course located on the host it monitors.
For Network-type IDs, the data collection part has multiple possibilities:
(1) If the network segment is connected with a bus-type hub, you can simply connect it to a port of the hub;
(2) For switched Ethernet switches, the problem becomes complicated. Because vswitches do not use shared media, the traditional method of using an sniffer to listen to the entire subnet is no longer feasible. The following solutions are available:
A. Generally, the core chip of A vswitch has a SPAN port for debugging. the inbound and outbound information of any other ports can be obtained from this. If the switch vendor opens this port, you can connect the IDS system to this port.
Advantage: you do not need to change the IDS architecture.
Disadvantage: using this port will reduce the performance of the vswitch.
B. Place the intrusion detection system at the key entry and exit of the data flow inside the switch or inside the firewall.
Advantage: almost all key data can be obtained.
Disadvantage: You must work closely with other vendors to reduce network performance.
C. Use a splitter (TAP) to connect it to all the lines to be monitored.
Advantage: the required information is collected without compromising network performance.
Disadvantage: You must purchase an additional device (TAP). If there are many resources protected, IDS must be equipped with multiple network interfaces.
D. The only theoretically unlimited method is Host IDS.
2.3 communication protocol
IDS system components need to communicate with each other, and IDS systems of different vendors also need to communicate with each other. Therefore, it is necessary to define a unified protocol so that all parts can communicate according to the standards set by the Protocol.
IETF currently has a dedicated team, intrusion detection Working Group (IDWG), which defines this communication format, called intrusion detection exchange format. Currently, there are only relevant drafts (Internet Draft) and no formal RFC documents are formed. However, the draft provides some guidance for communication between different parts of IDs and even between different IDS systems.
IAP (intrusion alert protocol) is an application layer protocol developed by IDWG and runs on TCP. Its design is largely based on HTTP, however, many other functions are added (such as initiating a connection from any end, combining encryption and authentication ). Here we will mainly discuss the issues that should be considered when designing a communication protocol for the intrusion detection system:
1. It is very important to analyze the information transmitted between the system and the control system. Therefore, we must maintain the authenticity and integrity of the data. There must be a certain mechanism for authentication and confidential transmission between both parties (both active and passive attacks are prevented at the same time ).
2. Both parties may interrupt the communication due to exceptions. The IDS system must take additional measures to ensure the normal operation of the system.
2.4 intrusion detection technology
Analyzes various events and finds that violations of security policies are the core functions of the intrusion detection system. Technically, intrusion detection is divided into two types: Signature-based and anomaly-based ).
For the identification-based detection technology, first define the characteristics of events that violate security policies, such as some header information of network packets. The detection mainly checks whether such features appear in the collected data. This method is very similar to anti-virus software.
Exception-based detection technology first defines a set of system "normal" values, such as CPU utilization, memory utilization, and file checksum (such data can be manually defined, it can also be obtained by observing the system and using statistical methods), and then comparing the system running value with the defined "normal" to determine whether the system is under attack. The core of this detection method is how to define the so-called "normal" situation.
The methods and conclusions of the two detection technologies differ greatly. The core of exception-based detection technology is to maintain a knowledge base. For known attacks, it can report attack types in detail and accurately, but the effect on unknown attacks is limited, and the knowledge base must be constantly updated. Exception-based detection technology cannot accurately identify attack methods, but it can (at least theoretically) identify more extensive or even unknown attacks.
If conditions permit, the combined detection will achieve better results.
Chapter 4 Problems
Despite the emergence of many commercial products, intrusion detection systems still have many problems compared with highly sophisticated products such as firewalls. In this chapter, we will discuss the main factors that threaten it. It is worth noting that most of these problems are insurmountable by the structure of the current intrusion detection system (including warcher ), and these contradictions may become increasingly acute.
The following are the main factors that challenge intrusion detection products:
1. The increasing knowledge of attackers, increasingly sophisticated and diverse automated tools, and increasingly complex and meticulous attack techniques.
2. Malicious Information is transmitted encrypted.
The network intrusion detection system detects attack behavior by matching network packets. IDS often assumes that the attack information is transmitted in plaintext. Therefore, a slight change to the information may lead to IDS detection. TFN has encrypted control information. Many other systems connect networks through VPN (Virtual Private Network). If IDs does not understand the tunnel mechanism, a large number of false positives and false negatives may occur.
3. Different security policies must be coordinated and adapted to diverse environments.
Networks and their devices are becoming more and more diversified, that is, there are critical resources such as email servers and enterprise databases, and there are also a large number of relatively unimportant PCs. This situation is often different between different enterprises. IDS must be customized to better adapt to diverse environment requirements.
4. Increasing network traffic.
Users often require IDs to trigger alerts as quickly as possible. Therefore, they need to analyze the obtained data in real time, which leads to higher and higher requirements on their systems, commercial products generally recommend the use of the best current hardware environment (such as nfr5.0 requires at least 700 clock speed ). Even so, a single IDS system is still hard to cope with traffic of more than MB. As the network traffic increases (many large ICPs currently have hundreds of megabytes of bandwidth), IDs will face more challenges, the method of running a pure software system on a PC needs to be broken through.
5. A lack of widely accepted terms and conceptual frameworks.
The manufacturers of intrusion detection systems are basically isolated from each other. The lack of standards makes intercommunication impossible.
6. The ever-changing intrusion detection market makes it difficult to purchase and maintain IDs.
The intrusion detection system is a new thing. With the increasing technical level and the increasing recognition of new attacks, IDS must be constantly upgraded to ensure network security, products of different manufacturers vary greatly in the upgrade cycle and methods. Therefore, it is difficult for the user to make a decision during the purchase, and the maintenance is still very passive.
7. risks arising from improper automatic responses.
The intrusion detection system can easily combine with the firewall to filter out all data from the attacker's IP address when an attack is detected. However, inappropriate responses can easily lead to new problems. A typical example is that attackers impersonate a large number of different IP addresses for simulated attacks, the IDS system automatically configures the firewall to filter out the addresses that are not actually under any attack, thus forming a new DoS attack ).
8. Attacks against IDs.
Like other systems, IDS often have security vulnerabilities. If you query the Bugtraq email list, such as Axent netprowler, NFR, ISS RealSecure, and other well-known products, vulnerabilities are detected. If the attack on IDS succeeds, the system will directly cause the alarm to fail, and subsequent actions of intruders will not be recorded. (This is one of the reasons why security defense must be diversified .)
9. A large number of false positives and false negatives make it very difficult to find problems.
The perfect intrusion detection system cannot be implemented using the current technology and model. Several Methods to escape IDS detection are mentioned in reference [1]. The main reasons for this phenomenon are:
IDS must have a clear understanding of the operating status and even details of all operating system network protocols before accurate analysis. Otherwise, the insertion mentioned in [1] cannot be solved. Different operating systems, or even different versions of the same operating system, have different details on the protocol processing. However, the principle of efficient operation of IDS is inevitable.
10. Lack of objective assessment and testing information.
11. The LAN reduces the visibility of network data streams, and the faster the network makes real-time data analysis more difficult.
Chapter 4 Conclusion
In the future, the intrusion detection system will combine with other network management software to form a three-in-one tool for intrusion detection, network management, and network monitoring. The emergence of powerful intrusion detection software greatly facilitates network management, and its real-time alarms provide another guarantee for network security. Although there are still many technical insurmountable problems, as the attack technology continues to develop, intrusion detection will continue to update and mature. At the same time, as mentioned at the beginning of this article, network security requires in-depth and diverse protection. Even if you have the most powerful intrusion detection system, you cannot fix security vulnerabilities in the network in time.