Tan Intrusion Detection System Inquiry


In recent years, with the information and network technology and the rapid development of the political, economic or military interests of the drive, the computer and network infrastructure, the extraordinary sites of various official bodies, becoming popular target of hacker attacks in recent years on e-commerce strong demand, more intensified growth of this trend intrusion event due to anti-outer firewall only not anti inside, and can easily be bypassed, so relying on the firewall computer system has been unable to deal with the increasingly rampant intrusion against intrusion The second line of defense - intrusion detection system was enabled.

An intrusion detection system (IDS concept

1980, James P.Anderson first systematically expounded the concept of intrusion detection and intrusion into external penetration, penetration and internal wrongdoing three kinds, also proposed the use of audit data to monitor intrusions thought [a, ie After its 1986 Dorothy E.Denning proposed the concept of real-time anomaly detection [2 and created the first real-time intrusion detection model, named for Intrusion Detection Expert System (IDES, 1990 年, LTHeberlein other design data flow monitoring network intrusion detection system, NSM (Network Security Monitor). Since then, intrusion detection system was really developed.

Anderson will be defined as intrusion attempts or threatens Summary: Potential and premeditated, unauthorized access to information, operation information, resulting in unreliable or unusable system attempts while the intrusion detection is defined as [4 Abstract: The discovery of unauthorized The individual using the computer (such as "hackers" or computer system legitimate users abusing their access to the system and the right of individuals attempt to commit such acts. perform the task of intrusion detection program that is intrusion detection systems, intrusion detection systems can also be defined as a summary: detect attempts to undermine the integrity of computer resources, authenticity and availability behavior of the software.

Intrusion detection system to perform the main tasks include [3 Summary: Monitor, analyze user and system activity auditing system configuration and weaknesses identified, reflecting the activities of known attack patterns, to alert stakeholders, statistical analysis, abnormal behavior patterns, evaluate critical systems and data file integrity, auditing, tracking and management operating system to identify users who violate safety policy behavior. intrusion detection summary is generally divided into three steps: information gathering, data analysis, response.

The purpose of intrusion detection Abstract: (1 Identify the intruder, (2 identify intrusions, (3 detection and monitoring in order to implement the intrusion, (4 provide information for the fight against the invasion, preventing the occurrence of invasion and on a larger scale,

2 Intrusion Detection System Model

Explore the Stanford International (SRI's DEDenning in 1986 for the first time presents a intrusion detection model [2, the detection method of the model is to create descriptive model of normal user behavior, and thus with the current user activity audit records are compared, if a larger deviation indicates abnormal activity occurred, which is a detection method based on statistics With the development of technology, then people also proposed a rule-based detection methods. combines the advantages of these two methods, one design Many intrusion detection model common intrusion detection framework (Common Intrusion Detection Framework referred CIDF organization in an attempt to standardize the existing intrusion detection systems, CIDF describes a generic model of intrusion detection system (commonly known as CIDF model it an intrusion detection system is divided into the following four components Abstract:

Event generator (Event Generators)

Event Analyzer (Event analyzers)

Response unit (Response units)

Event database (Event databases)

It will need to analyze the data is known as an event, the event can be a packet-based network can also be a host-based system log information. Event generator is intended to obtain from the entire computer environment events, and to other parts of the system to provide this event. event analyzer analysis of events and generate analysis results. response unit is the results of the analysis of the functional unit to respond, it can make a disconnect, modify file attributes such strong reactions. event database is storing all kinds of intermediate and known as the place where the final data, which can be complex databases can also be a simple text file.

3 Classification of Intrusion Detection System Abstract:

Existing IDS classification, largely based on information sources and analytical methods in order to reflect the IDS from the layout, collection, analysis, response and systemic levels to explore various aspects of the new problems, in five standard used here Abstract: control strategy, synchronization, information sources, analysis method, response mode.

Classified according to the control strategy

IDS control strategy describes how the various elements of the control, and the input and output of the IDS is how to manage according IDS control strategies can be divided into centralized IDS, IDS and all parts distributed distributed IDS. The centralized IDS in a central node controls all the surveillance, detection and reporting in some distributed IDS, monitoring and detection is a control point by a local control, hierarchy like the report to be sent to one or more central stations in fully distributed IDS, monitoring and detection is to use something called "proxy" approach, analyze and respond to agency decisions.

Classified according to the synchronization technology

Synchronous technology is being monitored events and analysis of these events at the same time according to synchronization technology division, IDS is divided into intervals batch job processing and real-time continuity-based IDS IDS. Batch job processing in interval-based IDS, the information source the form of files passed to parser handles only the information generated by a specific time period, and in the time of the invasion the results back to the user. many of the early host-based IDS are using this program in real-time continuous IDS , an event occurred, the sources of information on the pass analysis engine, and immediately processed and reflected real-time network-based IDS IDS is the preferred solution.

Classification according to information sources

Classified according to source of information is the most common classification method, it is divided into host-based IDS, network-based IDS and distributed IDS. Host-based IDS by analyzing computer systems from a single system audit trail and system logs to detect attacks Based on Host-based IDS is at a critical part of the network or exchange by capturing and analyzing network packets to detect attacks. Distributed IDS, able to simultaneously analyze data from the host system logs and network data flow, system consists of several components, the use of distributed structure.

Classification according to analytical methods

Links to free download http://eng.
analysis method according to IDS is divided into misuse detection and anomaly detection model based IDS IDS. Abuse detection type of IDS, first create a variety of intrusion of past methods and systems deficiencies knowledge database, when the collection of information and library prototype match when the alarm does not meet the specific criteria of any activity will be considered legitimate, so this system is very low false alarm rate. anomaly detection based IDS is based on the the basis of the following assumptions, namely any kind of intrusion can be due to its deviation from the normal or desired system and user activity patterns have been detected, so it requires a database record legitimate activities, such as the limited library false alarm rate is relatively high.

Classification according to response mode

In accordance with the response mode IDS IDS is divided into active and passive response to the response IDS. When a particular intrusion is detected, the initiative will adopt the following three responses IDS Summary: Collecting auxiliary information, changing the environment in order to block the loopholes in the invasion led to the attack to take action (which is a practice not to be recommended, because a little aggressive behavior of passive IDS sucked response information to the system users, administrators rely on this information based on further action.

4 IDS evaluation criteria

The current intrusion detection technology is developing rapidly, the application of technology is also very broad, and how to evaluate the advantages and disadvantages of IDS is very important. Evaluate the merits of IDS mainly the following aspects [5 Abstract: (1 accuracy Accuracy is refers to the IDS does not mark the environment a legitimate act as abnormal or invasion. (2 performance. IDS performance audit events is handling the speed on a real-time IDS, it must require good performance. (3 integrity. integrity refers to the IDS can detect all attacks. (4 fault tolerance (fault tolerance. When the protection system was attacked and destroyed, can quickly restore the original system data and functions. (5 itself against attack. This is important, especially the "denial of service" attack. because most attacks are on the target system using the first with "denial of service" attack to destroy IDS, then the implementation of an attack on the system. (6 timeliness (Timeliness. an IDS must be executed as soon as possible and transmit the results of its analysis in order to cause serious harm to the system prior to timely respond to deter attackers destroy audit data or IDS itself.

In addition to these main aspects, you should also consider the following summary: (1IDS runtime overhead of additional computer resources, (2 false alarm rate / extent of leakage alarm rate, (3 adaptability and scalability, (4 flexibility, (5 management overhead, (6 if they are easy to use and configure.

With the development trend 5 IDS Intrusion Detection technology, products have been gradually molded into practice. Intrusion Detection System is a typical representative of ISS (Internet safety system Company's RealSecure. Now more famous commercial intrusion detection products also There Abstract: NAI's CyberCop Monitor, Axent company NetProwler, CISCO company Netranger, CA's Sessionwall-3, etc. This class domestic product less, but developed rapidly, north of the existing General Staff, the dot com Wei , Venus and other companies launched products.

People in improving the technology, based on the original, but also in exploring new detection methods, such as data fusion techniques, proactive approach autonomous agents, intelligent technology, and application of the principles of immunology, etc. The main direction of development can be summarized as Abstract:
(A large-scale distributed intrusion detection. Traditional intrusion detection technology is generally confined to a single host or network framework, obviously can not meet the large-scale network monitoring, intrusion detection systems between different work can not, therefore, necessary to develop large-scale distributed intrusion detection technology.

(2 broadband high-speed real-time network intrusion detection technologies. Continuous emergence of a large number of high-speed networks, a variety of broadband access means endless, how to realize the real-time high-speed network intrusion detection to become a reality new problems.

(3 intrusion detection data fusion technology. Present, there are still many defects IDS First, the current technology is not well-trained to deal with the complexity of hacker attacks. Secondly, the system false alarm rate is too high. Finally, the system processing large amounts of data, not only help to solve new problems, but also reduces the processing capability. data fusion technology is a series of new problems to solve this a good way.

(4 and network security technologies. Combine firewall, virus protection and e-commerce technology to provide a complete network security protection.

6 Conclusion In the current state of computer safety, based firewalls, encryption technology, safety protection is important, however, to radically improve the system's current state of peace, we must develop intrusion detection technology, it has become the core of the computer safely technology strategy a. IDS as an active peace protection technology, provides internal attacks and external attacks and misuse in real time protection safe sex as the network communication technology have become increasingly demanding, intrusion detection technology is bound to be people's high attention.

References Abstract:
[1 Anderson J P. Computer security threat monitoring and surveillance [P. PA 19034, USA, 1980.4
[2Denning DE. An Intrusion-Detection Model [A. IEEE Symp on Security% 26amp; Privacy [C ,1986.118-131
[3 Zhang Jie, Daiying Xia, intrusion detection system technology current situation and development trend [J, computers and communications, 2002.6 Summary :28-32

[4 has Zhaosu, Wang Feng Bo, based on data mining technology intrusion detection system [J, Automation Expo, 2002,8 Abstract :29-31

[5 Tang Hongying, Fu Guoyu, intrusion detection principles and methods [J, Chongqing Institute of Technology, 2002.4 Summary :71-73

Links to free download http://eng.hi138.com

Computer Network Papers