Saturday, September 25, 2010

IDS classification (1)



Classified according to detection theory

The traditional view of property under the intrusion will be divided into two kinds of anomalies and misuse, and anomaly detection models were established, and its misuse detection model. Nearly five years has emerged a number of new detection methods, they produce abnormal and abuse of models are applicable, such as artificial immune method, genetic algorithms, data mining. According to the system used in the detection model, the IDS into three categories.
1. Anomaly detection
In anomaly detection, the observed intrusion is not known, but the study of anomalies in the communication process, it acts through the detection system changes or the use of completion. Before the establishment of the model must first be established statistical probability model, specific objects normally observed, and then decide to what extent a behavior labeled "abnormal", and how to make specific decisions.
Anomaly detection can identify those who have greater deviation from normal course of conduct, invasion can not know the specific circumstances. Due to the adaptability of various network environment is not strong, and the lack of precise criteria, to anomaly detection false alarm situation occurs frequently.
Anomaly detection can be achieved by the following system.
(1) self-learning system
Examples of self-learning system built by learning normal behavior model can be divided into two kinds of timing and non-sequential.
(2) programming system
Such systems need to be programmed to learn how to detect abnormal events identified so that users know what kind of abnormal behavior to a breach of system security. Programming system can be further subdivided into two kinds of descriptive statistics and default deny.
Anomaly detection IDS classification shown in Table 1.



2. Misuse Detection
Abuse of detection, intrusion process model and it has been observed in the traces left on the system is the decision-making. Therefore, certain characteristics can be pre-defined behavior is illegal, and then compared with observed objects in order to make identification.
Abuse detection system based on the known defects and invasion patterns, so called feature detection. It can accurately detect certain characteristics of the attack, but over-reliance on pre-defined security policy, so the system can not detect unknown attacks, resulting in leaking.
Misuse Detection uncertain decision rules on programming, can be divided into the following four:
(1) state model: it said intrusion into many different states. If you observe a suspicious behavior, all states are present, to be determined as malicious intrusion. In essence, the state model is a time series model can be further divided into state transitions and Petri nets, the former to all state intrusion into a simple traversal chain, which all states to form a more general tree structure the Petri net.
(2) Expert systems: it can describe the rules given intrusion cases, the security state of the system to reason. In general, the detection ability of a powerful expert system, flexibility is also high, but high cost calculations, usually to reduce the cost of execution speed.
(3) string matching: it through the system or the system itself between the transmission of the text generated to achieve substring matching. Less flexibility of the method is poor, but easy to understand, there are many efficient algorithms, their implementation is fast.
(4) based on a simple rule: similar to expert systems, but relatively simple, so the implementation of speed.
Misuse detection IDS classification shown in Table 2.



3. Hybrid detection

In recent years, hybrid detection increased attention has been paid. Such testing before making a decision, both the normal behavior of the system, while also observed suspicious intrusion, so to judge a more comprehensive, accurate and reliable. It is usually the normal data flow according to the background of the system to detect intrusions, Guer also called the "heuristic feature detection."
Wenke Lee inspiration from data mining to develop a hybrid detector RIPPER. It does not for different intrusion modeling, respectively, but the first by a large number of examples to learn what is and what is the intrusion of the normal behavior of the system was found to describe the system features the same usage patterns, and then the formation of abnormal and abuse are not applicable The detection model.
Feature classification according to the system
As a complete system, IDS obviously should only detector, which features many of the same system worthy of serious study. To this end, the following important features as classification considerations.
1. Detection time: Some systems in real time or near real time intrusion detection activities, while others deal with the audit system in the data, then there exists a certain delay. General history of real-time system audit data offline, the system Nenggou under previously saved the data reconstruction of 閲嶈 security incidents occurred in the past.
2. Granularity of data processing: Some systems use a continuous way of dealing with the other system is at a particular time interval the data batch operation, which involves dealing with the problem size. It has some relationship with the detection time, but they are not exactly the same, a system may be a long delay in a row within the data processing, real-time processing can also be a small amount of batch data.
3. Audit data sources: There are two main sources: the network data and host-based security log files. The latter includes the operating system kernel logs, application logs, network equipment (such as routers and firewalls) logs and so on.
4. Intrusion detection response by: divided into active and passive response response. Passive response-type system, alarm notification will be issued, there will be non-normal 鎶ュ憡 to the administrator, does not in itself trying to lower the damage, take the initiative to more Bukuai 閲囧彇 retaliatory action against the attacker. Active response system can be divided into two categories:
(1) to exercise control on the attacked system. It was attacked by adjusting the state of the system to prevent or mitigate the impact of the attacks, such as disconnected from the network, increase the security log, so kill the suspicious process.
(2) the implementation of the control system attacks the system. Such systems are more valued and used by the military.
At present, the active response system is still relatively small, even if to make active responses are generally suspicious attack disconnect the network connection, or the system call blocking suspicious, if fails, then terminate the process. However, the system exposed to a denial of service attacks, this defense generally difficult to implement.
5. Data collection sites: the audit data source may come from a single node, it may come from multiple distributed nodes in the network.
6. Data Processing Location: focus on the audit data can also be distributed processing.
7. Safety: means the system itself against attack.
8. Interoperability: IDS running different operating system platforms are different, their data sources, communication mechanism, message format are not the same, an IDS with other IDS or other security products is a measure of interoperability between its advanced and An important indicator of whether.
IDS classification system characteristics as shown in Table 3.









相关链接:



Firefox in hidden page 7



How to short-term consultants into your team



Articles ABOUT Cataloging



E-cology in the Pan Micro Series 27



TS to WMV



On the memory leak (1)



DivX to VOB



Korean media: China wielded against piracy, "sword"



GAZA: A War record of professional transition names



Premier Religion



free Visual style



Five Tips for Promotion



Brief Desktop



FLV TO 3GP



Pop-up Window Killer (on)



Taobao Alipay betrayal?



No comments:

Post a Comment