Research on intrusion detection and network security development technology-web surfing

With the increasing of the risk coefficient of network security, the firewall, which used to be the main security precaution, can not meet the need of the network security. As a useful complement to the firewall, IDS (Intrusion detection System) can help the network system to quickly detect the occurrence of the attack, it extends the system administrator's security management capabilities (including security audit, monitoring, attack identification and response), improve the integrity of the information security infrastructure.

　　First, intrusion detection system (IDS) interpretation

IDS is a kind of network security system, when there are enemies or malicious users trying to enter the network through the Internet or even computer systems, IDS can detect, and alarm, notify the network to take measures to respond.

In essence, intrusion detection system is a typical "spy device". It does not span multiple physical network segments (usually only one listening port) without forwarding any traffic, but only passively and noiselessly collects the messages it cares about on the network. The intrusion detection/response process is shown in Figure 1.

Figure 1: Intrusion Detection/Response flowchart

At present, IDS analysis and detection intrusion phase are generally analyzed by the following technical means: feature database matching, statistical analysis and integrity analysis. The first two methods are used for real-time intrusion detection, and integrity analysis is used for postmortem analysis.

　　Second, the problem of IDs

1. High false/False missing rate

The detection methods commonly used in IDs include feature detection, anomaly detection, State detection, protocol analysis and so on. And these detection methods are flawed. For example, anomaly detection is commonly used in statistical methods to detect, and statistical methods of the threshold is difficult to determine effectively, too small value will produce a large number of false positives, too large value will produce a large number of false reports. In the protocol analysis of the detection mode, the general IDs simply deal with the commonly used such as HTTP, FTP, SMTP, etc., the remaining large number of protocol messages can completely cause IDs false, if consider support as many types of protocol analysis, the cost of the network will be unbearable.

2. No active defense capability

The IDs technology uses a kind of preset, characteristic analysis work principle, so the update of detection rule always lags behind the attack means update.

3. Lack of accurate positioning and processing mechanisms

IDS only recognizes IP addresses, cannot locate IP addresses, and cannot identify data sources. The IDS system shuts down only a few ports, such as network exits and servers, when it discovers an attack, but the shutdown can also affect the use of other normal users. Therefore, it lacks more effective response processing mechanism.

4. Generally insufficient performance

Today, most of the IDs products in the market are feature detection technology, this kind of IDs products have been unable to adapt to the development of switching technology and high bandwidth environment, in the case of large flow impact, multiple IP fragmentation can cause IDs paralysis or packet loss, the formation of Dos attacks.

　　third, the development of IDS technology

IDS Although there are some flaws, but in a different perspective, we can see that all kinds of related network security hackers and viruses are dependent on the network platform, and if the network platform can cut off the transmission of hackers and viruses, then better guarantee security. In this way, network equipment and IDS equipment linkage has emerged.

IDs and network switching equipment linkage, refers to the switch or firewall in the course of operation, the various data flow information to the security equipment, IDS system can be reported according to the information and data flow content detection, in the discovery of network security incidents, carry out targeted action, These responses to the security incident are sent to the switch or firewall to enable the switch or firewall to close and disconnect the exact port, resulting in the concept of an intrusion prevention system (IPS).

Simply understood, the IPs is considered a firewall plus an intrusion detection system. The IPs technology has added the function of active response in the function of IDs monitoring, so as to make sure that there is an attack behavior, respond immediately, and cut off the connection actively. It is not deployed in parallel with IDs in the network, but in tandem access to the network, its function as shown in Figure 2.

Figure 2:ips Function Sketch

In addition to IPs, some vendors have proposed IMS (Intrusion Management System). IMS is a process that considers the vulnerabilities in the network before the behavior occurs, to determine what kind of attack and the risk of invasion are likely to occur; When the behavior occurs or is about to occur, not only to detect the intrusion behavior, but also to actively block, terminate the intrusion behavior, after the invasion, but also in-depth analysis of intrusion behavior, Through association analysis, to determine whether the next attack behavior will occur.

　Iv. Development Direction of network security

1. Detection and access control technology will coexist co-prosperity

The detection technology represented by IDs and the access control technology represented by firewall are fundamentally two distinct technical behaviors.

(1) Firewall is the gateway form, requiring high performance and high reliability. Therefore, the firewall focus on throughput, delay, ha and other requirements. The main features of the firewall should be pass (transmission) and break (block) two functions, so the transmission requirements are very high.

(2) While IDs is a technical behavior characterized by detection and discovery, it pursues the reduction of false negative rate and false alarm rate. Its performance is mainly in the pursuit of: grab bag can not leak, analysis can not be wrong, rather than microsecond-level fast results. IDS has high computational complexity because of its high technical characteristics.

In this sense, detection and access control technology will be in a longer period of time to pay more attention to its own characteristics, improve performance and reliability, neither by one side to replace the other, nor simply to form a fusion technology.

2. Coordination of detection and access control is an inevitable trend

Although there are some differences between detection technology and access control technology, the combination of two technologies and its application is an urgent requirement and inevitable trend.

The integration, coordination and centralized management of security products are the development direction of network security. Large enterprises need integrated security solutions, and need to be a fine force of security control means. Small and medium-sized enterprises want to be able to obtain effective security, while it is not possible to have too much investment in information security. From the early active response intrusion detection system to the intrusion detection system and firewall linkage, and then to IPs and IMS, a continuous improvement of the process of solving security needs.

3. How to integrate technology

The view of "centralized detection, distributed control" is very important to how to view the trend of detection technology and access control technology. An IDs that are not completely satisfactory in accuracy can be made accurate by manual analysis. In the same way, more accurate results can be obtained by analyzing the centralized analysis after large-scale IDs deployment and the related analysis with other detection technologies. Such local event detection is the direction of global event detection. The overall response and control can be carried out according to the global test results.

Global detection can effectively solve the problem of detection accuracy, but at the same time the detection process is long, local speed is not fast enough. Therefore, in the face of some local events and can be accurately judged by the problem, blocking the negative effects of relatively few, for its detection can be relatively fast, IPS is a better solution.

4. People are still the deciding factor of network security management

Undeniably, the human factor is still the decision factor of the network security management, the network security Weakest link is not the system loophole, but the human loophole. The core issue of security is the human problem. Because all the unsafe factors come from people (or part of the people). So our struggle with the threat of information network security, in fact, with people (or a part of the people) of the struggle, such a nature of the struggle, not to mention that it is doomed to its arduous, complexity and durability.

Therefore, relying solely on security technology and software and hardware products to solve the network security problem is not realistic is also unwise, improve the network security awareness, increase the overall ability to prevent network intrusion and attack, and on this basis to form a high-quality network security management professional team, Timely and accurate response to a variety of network security incidents, we can fundamentally solve the threats and problems we face.