Introduction to Intrusion detection technology

Title: Introduction to Intrusion detection technology time: 2004-06-13 Source: http://www.meiclub.com/Abstract with the development of computer technology, especially network, computer system has been developed from independent host to complex and interconnected open system, This has brought great convenience to people in the use of information and the sharing of resources. At the same time, people are faced with a series of security problems caused by the invasion. This paper introduces one of the hotspots of network security technology today: intrusion detection technology. 　　This paper first describes the definition and classification of intrusion detection, and analyzes its detection methods, finally explained its development trend and its application prospects. Keyword Intrusion detection system network security Firewall 1 introduction with the rapid development of the Internet, individuals, enterprises and government departments rely more and more on the network to convey information, but the openness and sharing of the network is easy to make it vulnerable to external attacks and damage, information security confidentiality is seriously affected. 　　 The problem of network security has become one of the most concerned problems for Governments, enterprises and network users all over the world. Any network activity that attempts to destroy the integrity, confidentiality, and trustworthiness of information systems is called network intrusion. The most common way to prevent network intrusion is the firewall. A firewall (Firewall) is a combination of a series of components set up between different networks, such as a trusted enterprise intranet and an untrusted public network, or a network security domain, which is a network-layer security technology that protects the intranet or individual nodes connected to the Internet. 　　It has a simple and practical characteristics, and high transparency, you can not modify the original network application system to achieve a certain security requirements. However, the firewall is only a passive defensive network security tool, only the use of firewalls is not enough. First, the intruder can find a firewall vulnerability, bypassing the firewall to attack. Second, firewalls are powerless to attack from within. It offers services that are either rejected or passed, and this is far from satisfying the user's complex application requirements. So the intrusion detection technology [1] is produced. The research of intrusion detection in 2 intrusion detection technology dates back to James Aderson's 1980 work, he first proposed the concept of intrusion detection, in which aderson that audit trails could be applied to monitor intrusion threats, However, the importance of this idea was not understood at the time, since all existing system security procedures focused on denying access to important data by unauthenticated entities. 1987 DOROTHY.E.DENNING[2] The abstract model of intrusion detection system (intrusion detection system,ids) is proposed, and the concept of intrusion detection is proposed for the first time as a measure of computer system security defense. Compared with traditional methods of encryption and access control, IDS is a new computer security measure. 19The 88 Morris Internet worm event made the internet unusable for nearly 5 days. 　　This event makes the need for computer security imminent, which leads to the development of many IDs systems. Intrusion detection (intrusion detection) is defined as the process of identifying and responding to malicious attempts and actions against a computer or network resource. IDS is a stand-alone system that completes functions such as the above. 　　IDS detects unauthorized object (person or program) intrusion attempts or actions against the system (intrusion) while monitoring illegal operation of the authorized object against system resources (misuse). 　　(1) Collecting information from different parts of the system, (2) Analyzing the information, trying to find out the characteristics of intrusion activity, (3) automatically responding to detected behavior, (4) recording and reporting the results of the detection process. Intrusion detection, as a proactive security protection technology, provides real-time protection against internal attacks, external attacks and misoperation, and intercepts and responds to intrusion before the network system is compromised. Intrusion detection system can make up for the shortage of firewall, in a sense, it is the supplement of firewall [1]. 3 intrusion detection classification of existing classification, mostly based on information sources and analysis methods for classification [3, 4]. 3.1 According to the different sources of information, divided into two main types of host-based and network-based Intrusion detection system (host-based intrusion detection system,hids) host-based IDs Monitor systems, events, and Windows NT security records and system records in UNIX environments. When a file is modified, IDs compares the new record entries to the known attack features to see if they match. 　　If it matches, the system administrator is alerted or the appropriate response is made. Host-based IDs incorporates other technologies in the development process. A common way to detect intrusion of critical system files and executables is to check the file's checksum periodically to find unusual changes. The speed of the reaction depends on the length of the time between the rounds. Many products are activity on a listening port and are alerted to an administrator when a particular port is accessed. This kind of detection method integrates the basic method of network-based intrusion detection into the host-based detection environment. 3.1.2 Intrusion detection system based on network (network-based Intrusion detection system,nids) network-based Intrusion detection system takes network packets as the analysis data source. It usually uses a NIC that works in promiscuous mode to monitor and analyze the data flow through the network in real time. Its analysis module usually uses pattern matching, statistical analysis and other techniques to identify the attack behavior. Once the attack is detected, the IDS response module doesThe appropriate response, such as alarm, cut off the relevant user's network connections, and so on. Different intrusion detection systems in the implementation of the response may also be different, but usually include notifying the administrator, cut off the connection, record the relevant information to provide the necessary legal basis, etc. [5]. 3.1.3 Integration of host-based and network-based intrusion detection systems The network security solutions of many organizations adopt both host-based and network-based intrusion detection systems. Because these two systems are to a large extent complementary. In fact, many customers are configuring network-based intrusion detection when using IDs. Detectors outside the firewall detect attacks from the external Internet. DNS, email and web servers are often the targets of attacks, but they must interact with the external network, it is not possible to completely block it, so should be installed on each server host-based intrusion detection system, its detection results will be reported to the analyst console. As a result, even small network architectures often require both host-based and network-based intrusion detection capabilities. An intrusion detection solution for a medium-sized mechanism set up intrusion detection system is given below [6, 7]. 3.2 According to the different analysis methods used in detection, can be divided into misuse detection and anomaly detection 3.2.1 misuse detection (misuse detection) set some of the characteristics of intrusion activities (Signature), through the current activity is not matched with these features to detect. Common detection techniques are: (L) Expert system: A series of detection rules are used to analyze the characteristic behavior of intrusion. The rule, namely knowledge, is the basis for the expert system to determine the existence of intrusion. In addition to the completeness of the knowledge base, the expert system relies on the completeness of the condition library, which depends on the completeness, timeliness and usability of the audit records. 　　 In addition, the speed of the matching algorithm has a great impact on the efficiency of the expert system. (2) Model-based intrusion detection method: Intruders often use a certain sequence of behaviors, such as guessing the sequence of the password, when attacking a system. This behavioral sequence constitutes a model with certain behavioral characteristics, which can detect malicious attack attempts in real time according to the behavioral characteristics of the attack intention represented by this model. The advantage of this approach is that it is based on a perfect mathematical theory of uncertainty reasoning, compared to the fact that an expert system usually abandons the disadvantages of dealing with those inconclusive intermediate conclusions. The model-based intrusion detection method can only monitor some major audit events. When these events occur, a detailed audit is started and the Audit event processing load is reduced. Another feature of this detection approach is the detection of combination attacks (coordinate attack) and multi-layer attacks (multi-stage attack). 　　Used for distributed IDs systems. (3) Simple pattern matching (pattern Matching): An intrusion detection method based on schema matching will be knownIntrusion feature coding is a pattern that conforms to audit records. 　　 When a new audit event arises, this method will look for a known intrusion pattern that matches it. (4) Soft computing method: Soft Computing method includes neural network, genetic algorithm and fuzzy technology. In recent years, there have been reports on the use of neural networks for intrusion detection experiments, but no formal products have been published. 3.2.2 Anomaly Detection (Anomaly detection) anomaly detection assumes that the intruder activity is abnormal to normal activity. In order to realize this kind of detection, IDS set up normal activity "norm set", when the subject's activity violates its statistic law, it is thought that it may be an "intrusion" behavior. One of the advantages of anomaly detection is the ability to detect abnormal behavior of the system with the normal behavior of abstract system. This capability is not subject to the system's prior knowledge of this intrusion, so it is able to detect new intrusion behavior. Most normal behavior models use a matrix mathematical model, and the number of matrices comes from various indicators of the system. such as CPU usage, memory usage, logon time and times, network activities, file changes, and so on. The disadvantage of anomaly detection is that if the intruder is aware of the detection rule, it can avoid the mutation of the system index carefully, and use the method of gradually changing the system index to evade detection. In addition, the detection efficiency is not high, the detection time is longer. 　　Most importantly, this is an "afterthought" of detection, and when intrusion detection is detected, the damage has already occurred. The statistical method is a common method in the current product intrusion detection system, which is a mature intrusion detection method, which makes the intrusion detection system be able to learn the daily behavior of the main body, and it can make the activity identification with the large statistical deviation between normal activities as abnormal activities. The common model of intrusion detection is: Operation model, Variance, variance of calculation parameters, multivariate model, Markov process model and time series analysis. The biggest advantage of statistical method is that it can "learn" the user's usage habits, so it has higher checkout rate and usability. But its "learning" ability also gives intruders the opportunity to "train" the intrusion events to conform to the statistical laws of normal operation, thus through the intrusion detection system [8~11]. 4 The development trend of intrusion detection technology at present, the development trend of domestic and foreign intrusion detection technology [12, 13] is: (1) distributed intrusion detection. This concept has two meanings: the first layer, that is, the detection method for distributed network attacks: The second layer uses distributed methods to detect distributed attacks, and the key technologies are the detection of information and the extraction of the global information of intrusion attacks. 　　Distributed system is one of the main development directions of modern IDs, it can maximize the advantages of system resources in data collection, intrusion analysis and automatic response, and its design model has great flexibility. (2) Intelligent intrusion detection. Even using intelligent methods and means to carry out intrusion detection. The so-called intelligent method, the current commonly usedSome methods, such as neural network, genetic algorithm, fuzzy technique and immune principle, are used to identify and generalize intrusion features. 　　Using the idea of expert system to construct IDs is also one of the common methods. (3) network security technology combination. Combined with firewall, PKIX, secure Electronic Transaction (SET) and other new network security and E-commerce technology, to provide a complete network security. For example, the combination of network-based and host-based intrusion detection systems will integrate the current web-based and host-based detection technologies to complement each other, providing integrated attack signatures, detection, reporting, and event correlation functions. 5 application prospect of IDs [14] with the rapid development of Internet high-speed Internet, the intrusion detection system will have great application foreground with the increasing of security events and the mature of intrusion detection technology. 　　For example, the bank's Internet Application System (payment gateway, online banking, etc.), research units of the development system, military systems, ordinary E-commerce systems, ICP, etc., need to have IDs guard. (1) wireless network. Mobile communication has been widely used by users because of its advantages such as unrestricted geographical location and free movement, and currently 73 million people worldwide use wireless data telephone. But the mobile communication brings the superiority of the mobility and also brings the problem of system security. Due to the inherent characteristics of mobile communications, the air wireless interface between the mobile station (MS) and the base station (BS) is open, this whole communication process, including communication, link establishment, information transmission (such as user's identity information, location information, voice and other data stream) are exposed to the third party, and in the mobile communication system , there is no fixed physical connection between mobile users and the network so that mobile users must pass their identity information through the wireless channel so that the network can correctly identify the mobile users, and this information may be intercepted by the third party, and counterfeit information, counterfeit this user identity using communication services , and wireless networks are vulnerable to hackers and viruses. 　　Therefore, IDS has a wide application prospect in wireless network. (2) IDs into the family. In recent years IDs has allowed company managers to worry about hackers and internal criminals, and IDs now want to protect PCs in the home. More and more people connect their computers to companies through the Internet, and by 2005 26 million people will be using residential high-speed Internet services. With broadband, these users ' network or DSL modems are always open, which is a great temptation for hackers. Hackers can invade the network, steal credit cards, identity cards or access to network management systems, and some fast-spreading viruses also expose the contents of personal computers to hackers, signaling that IDs will gradually move into the home. 6 concluding remarks Finally, we should understand that IDs is not a complete computer network system, although it is an important part of computer network security.Security solution, it can not replace other security systems such as: access control, identity and authentication, encryption, firewall, virus detection and kill functions. But it can be compared with other security systems, such as firewall system, security Network management system and other enhanced collaboration to increase its own dynamic and flexible response and immune capabilities, to provide us with a more secure network environment. References [1] Qi Jianqing, 闫镔, Yang Zheng. IDS Research overview, Electronic warfare technology, 16th volume 4th, 2001 [2] Denning D E. An intrusion-detection model[j]. IEEE trans-action on Software Engineering, 1987,se-1 3:222~232 [3] Sandeep Kumar. Classification and detection of Computer intrusions. Ph.D Thesis, Indiana:purdue University [4] Dacier M, Jackson K. Intrusion detection. Computer Networks, 1999;31 (23-24): 2433-2434 [5] Liu Chun Ode, Yang Shoubao, Dous-sur-Doume. Network-based intrusion detection system and its implementation, computer application. Volume 23rd, Phase 2nd, 2003 [6] Enami, Guo Qiao. Some improvement measures of IDS based on network. Computer Engineering and Design, Volume 24th 3rd, 2003 [7] Du Yanhui and so on. Intrusion detection technology based on the combination of network and host. Firepower and Command Control, Volume 27th 2nd, 2002 [8] Li Yu, Li Weihua. Research and implementation of distributed intrusion detection system. Computer Engineering and applications, 2003,04 [9] Lu Hongwei, Luo steel. Based on the expert system intrusion detection method, WISCO technology. 2003, Volume 41st, Phase 1th [10] Shao. Application of Intelligent Neural network in intrusion detection of Internet. High-tech communications, 2002,07 [11] Tan Xiaobin etc. Hidden Markov model of computer system intrusion detection. Computer research and Development, 40th volume 2nd, 2003 [12] Zhang Ying, Wang Hui. An Internet security guard system that interacts with intrusion detection. Computer Engineering and application 2003,07 [13] Hu Huaping etc. Research on intrusion detection and early-warning system for large-scale networks. Journal of National Defense Science and Technology University, 2nd 5 vol. 1th, 2003 [14] Zhou Jianguo, Cao Qingguo, Zhaoqingjun. The research of computer network intrusion detection system. Computer Engineering, Volume 29th, Phase 2nd, 2003