What Is an Intrusion Detection System?
An intrusion detection system (IDS) is a network security device that monitors network transmissions in real time, issues alerts when probable transmissions are found, or takes proactive measures. It differs from other network security devices in that IDS is a proactive security protection technology. IDS first appeared in April 1980. In the mid-1980s, IDS gradually evolved into an intrusion detection expert system (IDES). In 1990, IDS differentiated into network-based IDS and host-based IDS. Later, distributed IDS appeared. At present, IDS is developing rapidly, and some people have claimed that IDS can completely replace the firewall.
- IDS is a computer monitoring system. It monitors the system in real time and issues warnings when abnormal conditions are found. [1]
- IETF will
- In February 1998, Secure Networks Inc. pointed out that IDS has many weaknesses, mainly: IDS's detection of data; protection against IDS's own attacks. Due to the rapid development of contemporary networks,
- Intrusion detection system is divided into two modes according to the behavior of intrusion detection: anomaly detection and misuse detection. The former must first establish a model of system access to normal behavior. Any visitor's behavior that does not conform to this model will be judged as intrusion; the latter, on the contrary, first summarizes all possible unacceptable and unacceptable behaviors to establish a model Any visitor who conforms to this model will be judged as an intrusion.
- The security policies of these two modes are completely different, and they each have their strengths and weaknesses: the false negative rate of anomaly detection is low, but behaviors that do not conform to the normal behavior model are not necessarily malicious attacks, so this strategy is wrong The false alarm rate is high; the false alarm rate is low due to the direct unmatched unacceptable behavior pattern of the mismatch detection. However, malicious behaviors are ever-changing and may not be collected in the behavior pattern library, so the false negative rate is very high. This requires users to formulate policies and select behavior detection modes according to the characteristics and security requirements of the system. Users now adopt a combination of two models. [1]
- IDS systems need to communicate with each other, and IDS systems from different vendors also need to communicate. Therefore, it is necessary to define a uniform agreement. The IETF currently has a dedicated group, Intrusion Detection Working Group (
- Analyze various incidents and discover violations
Anomaly detection method of intrusion detection system
- The following detection methods are often used in abnormal intrusion detection systems: [5]
Bayesian inference detection method : It is to determine whether the system has an intrusion event by measuring the variable value at any given moment.
- Feature- based detection : Refers to a metric that can detect intrusions from a set of metrics and uses it to predict or classify intrusion behaviors.
- Based on Bayesian network detection method : graphically represent the relationship between random variables. Computes the probability distribution of a random variable by specifying a small set of probabilities associated with neighboring nodes. Given a combination of all nodes, the prior probabilities of all root nodes and the non-root node probabilities make up this set. The Bayesian network is a directed graph, and the arc represents the dependency relationship between the parent and child nodes. When the value of the random variable becomes known, it is allowed to be absorbed as evidence, providing a calculation framework for the judgment of the condition values of other remaining random variables.
- Detection method based on pattern prediction : The sequence of events does not occur randomly but follows a certain discernable pattern. It is based on the assumption of abnormal detection method based on pattern prediction. Its characteristics are that the event sequence and interconnections are considered, and only a few related Security events are the greatest advantage of this detection method.
Anomaly detection based on statistics : A feature contour table is created for each user based on the activity of the user object, and the current behavior is compared with previously established features to determine the abnormality of the current behavior. The user characteristic profile table shall be continuously updated according to the audit record situation, and its protection shall be provided with multiple measurement indexes. These index values shall be obtained based on empirical values or statistics over a period of time.
Machine-based detection method : It learns behavior characteristics of networks, systems, and individuals based on temporary sequence learning of discrete data, and proposes an instance learning method IBL. IBL is based on similarity. This method calculates the original data through a new sequence similarity calculation. (Such as discrete event streams and unordered records) into measurable space. Then, IBL learning technology and a new sequence-based classification method are used to detect anomalous events and detect intrusion behavior. Among them, the probability of member classification is determined by the selection of a threshold.
- Data mining detection method : The purpose of data mining is to extract useful data information from massive data. A large number of audit records exist on the network, and most of the audit records are stored in files. If it is not enough to find anomalies in records by manual methods, so applying data mining technology to intrusion detection can extract useful knowledge from audit data, and then use these knowledge areas to detect abnormal intrusions and known Invasion. The method used is the KDD algorithm, which has the advantage of being good at processing large amounts of data and the ability to analyze data association, but the real-time performance is poor.
- Anomaly detection method based on application mode : This method calculates the abnormal value of the network service according to the service request type, service request length, and service request packet size distribution. The abnormal values calculated in real time are compared with the trained thresholds to discover abnormal behavior.
- Anomaly detection method based on text classification : This method is to convert the set of process calls generated by the system into "documents". Using K-nearest clustering text classification algorithm, the similarity of the documents is calculated.
Misuse detection method of intrusion detection system
- Common detection methods used in misuse intrusion detection systems are:
Pattern matching method : It is often used in intrusion detection technology. It compares the collected information with known information in the database of network intrusion and system misuse patterns, thereby discovering violations of security policies. The pattern matching method can significantly reduce the system burden and has a higher detection rate and accuracy.
Expert system method : The idea of this method is to represent the knowledge of security experts as a rule knowledge base, and then use inference algorithms to detect intrusions. Mainly for characteristic intrusions.
Detection method based on state transition analysis : The basic idea of this method is to treat the attack as a continuous, step-by-step process with a certain correlation between the steps. When an intrusion occurs in the network, the intrusion behavior is blocked in time to prevent similar attacks that may occur further. In the state transition analysis method, an infiltration process can be regarded as a series of actions made by an attacker, which causes the system to change from an initial state to a final compromised state. [1] [4]