The relationship between intrusion detection and network audit products

Intrusion detection and network audit product is the twin brother?

Intrusion detection System (IDS) is an important tool for network security monitoring, is the network "Street" on the patrol, always pay attention to the abnormal behavior of the network, network audit is the user's behavior record, is the network "building" in the video recorder, recording the process of various acts, as the future audit "you" evidence.

Our common building monitoring, in the security room there is a big TV wall, staff in real time to see, belong to the IDs type, monitoring system needs people's real-time participation, found abnormal, timely alarm, processing. In public places the bank ATM machine Front has the video system, belongs to the audit type product, when needs to see who is in what time carries on the operation, when calls up the record, carries on the evidence gathering.

On the surface, two products are using the network "Camera", on the network information capture and analysis, in fact, two product technology from the "homology"---system log analysis, as if a pair of twins brother; "Longson, there are different", the environment is different, two products feature a large variety of properties.

First, "hereditary" characteristics

IDs needs to detect and judge the intrusion behavior in time. Audit needs to record the user's behavior, both as "Wind horse and Beast", to say similar, because of their common "ancestors", from the analysis of the host log technology developed, with the different security objectives, a focus on the event "Relevance analysis", A focus on events after the recurrence, although later the gap between the two more and more, but its technology and products have a lot of similarities, the following we summed up several points:

1) Product Design Framework

IDs and audit products are security analysis products, the use of "parallel" on the network mode, does not affect the performance of the business. In the product design structure is basically the same, divided into control center, database, console, data collection engine several parts, using distributed deployment.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

2) Information acquisition

n How information is collected from the network

The typical way is the network link port mirroring (if the optical link can also use the optical device), is the normal network of communication signals (data) copy to the mirror device. The Blue line in the figure is the information collection of IDs, and the red thread is the information collection of the audit. Multi-pair mirroring can also be based on the deployment of the product with a separate data collection engine, according to the flow of a one-to-one mirror, or a multiple mirror.

n How information is collected from the host

The collection of information on the host is generally to install agent software, but also through the syslog, SNMP and other communications protocols from the host to obtain. Host IDs Technology is also the early analysis of the system log, and later developed to the host process, the state of monitoring; The host's system operation log, security log, operation log on the database, also is the audit system data source.