XI intrusion detection system

Others 2020-01-08 00:34:09 views: null

Brief introduction

IDS (intrusion detection system, referred to as IDS) is a network transmission instant monitoring, issuing alerts when suspicious transmission network security equipment or take an active response measures . It will be that different from other network security devices, IDS is a proactive security protection technology . In accordance with certain security policy, through software and hardware, network operating status, system monitor and found that as much as possible a variety of attack attempts, aggressive behavior or attack the results in order to ensure the confidentiality of the network system resources, integrity and availability. 

 

IDS composition

An intrusion detection system is divided into four components.

  • Event Generator (Event generators), its purpose is to obtain an event from the entire computing environment, and to provide this event to other parts of the system.
  • Event Analyzer (Event analyzers), which data obtained through the analysis, and generates results. 
  • Response unit (Response units), which is the functional unit to respond to the results of the analysis, it may be made to disconnect, change file attributes strong reaction, it may be simply the alarm.
  • Event Database (Event databases) event database is stored data of various intermediate and final place collectively, it can be a complex database, it can be a simple text file. 

IDS conventional abnormality detection method

  • Bayesian inference detection: variable values ​​at any given moment, measurement, whether or not the invasion is determined phylogenetic inference. 
  • Selection based on feature detection: means selected from a group of metrics that can measure intrusion detection, intrusion use it to predict or classify. 
  • Shows the relationship between the random variables graphically: Bayesian network based assay. Coupling to calculate the probability of the random variable associated by specifying a small set of probability distributions and the adjacent node. All combinations of a given node, the prior probability and the probability of all non-root nodes constituting the root node sets. A Bayesian network is a directed graph, the arcs represent dependencies between parent, child node. When the value of the random variables become known, it allows it to absorb evidence, provide the framework for calculating other conditions remaining the random variable value determination. 
  • Based on the prediction mode of detection: but follow a discernible pattern sequence of events is not a random occurrence is based on the assumption of anomaly detection mode prediction, which is characterized by the sequence of events and contact each other is taken into account, only a small number of related interest security event is the biggest advantage of this detection method.
  • Based on the statistical anomaly detection method: is based on the active user objects are established for each user a feature profile table by comparing the characteristics of the current and previous features have been established to determine an abnormality of the current behavior. User profile feature table to keep records according to the audit, the protection to its multi-measure indicators that the value to be obtained according to statistics in the check value or a period of time. 
  • Detection methods based on machine learning: is obtained according to the sequence of discrete data temporary learning network, the system behavior and characteristics of the individual, and presents an example of learning IBL, IBL is based on the similarity, the method of calculating the raw data through the new sequence similarity (e.g., random and discrete event records stream) into a metric space. Then, the classification method applied IBL learning techniques and a new sequence-based, unusual type of event to detect intrusions. Among them, the members of the probability classification is determined by the selected threshold. 
  • Data Mining assay: data mining, data object from the mass data extracted useful information. The network will exist a large number of audit records, audit records are mostly stored in document form. If you rely on manual methods to find records of anomalies it is not enough, so the data mining in intrusion detection, you can extract useful knowledge from the audit data, and then use this knowledge zone anomaly detection and known invasion. The available methods KDD algorithm, the advantage is the ability to analyze the capability data associated with good processing large amounts of data, but the real poor.
  • Application mode based on the abnormality detection method: This method is based on the service request type, the length of the service request, the service request packet size distribution anomaly value calculating network service. By comparing outliers calculated in real time and the training threshold, thus abnormal behavior.
  • Anomaly detection based on text classification method: This method is to call the collection process into a system to produce "documents." Using the K neighbor clustering algorithm for text categorization, document similarity calculation. 

IDS misuse detection method used:

  • Pattern matching method: intrusion detection is often used in the art. It is thus contrary to the security policy behavior found that the collected information and network intrusion and system misuse model were compared with known information in the database. Pattern matching method can significantly reduce the burden on the system, a higher detection rate and accuracy. 
  • Expert system method: This method is thought to security expert knowledge expressed as rules of the knowledge base, and then the inference algorithm to detect intrusions. Mainly for intrusion behavior characteristics. 
  • Analysis based on the state transition detection: The basic idea is to attack as a continuous, and there is a certain correlation between the various steps of the process step by step. Timely blocking the intrusion time of the invasion in the network to prevent further similar attacks may also occur. In the state transition analysis method, the permeation process can be seen as a series of acts made by the attacker and cause the system from an initial state to a final state to be hazardous. 

deploy

Intrusion Detection System deployment model for the deployment of bypass mode, open the mirror port on the core switching equipment, analytical data mirroring traffic discriminates attacks.

 

Guess you like

Origin www.cnblogs.com/endust/p/12164359.html
Recommended
Ranking
APPIUM operation package, based on java-client-7.0.0
Find the answer
A Case Study of Internal Network Security Analysis of a Hospital
java-springboot简单易学的员工管理系统
php20 invoicing
hyperledger fabric information
Fourth day of June 2019 No. 20 (do do things according to plan)
Linux desktop share breaks through 3%
Pinpointing the nuances JSON format beautify
System modeling software SpecialModeler
Daily
More
2024-07-05(0)
2024-07-04(0)
2024-07-03(0)
2024-07-02(0)
2024-07-01(0)
2024-06-30(0)
2024-06-29(0)
2024-06-28(0)
2024-06-27(0)
2024-06-26(0)

Code World

© 2018 codetd.com