The technical means of IDS are actually not very mysterious. Next, this article will use a "follow the vine" approach to introduce to you a relatively simple entry-level architecture of IDS . From the perspective of market distribution and ease of acquisition, it is more appropriate to choose NIDS as an example for deployment. This article uses a complete Windows platform to run through the entire intrusion detection process. Due to space limitations, it is stated from a qualitative analysis perspective.
Preliminary knowledge
IDS: Intrusion Detection System, an intelligent combination of software and hardware that collects network system information to perform intrusion detection and analysis.
There are two organizations that carry out standardization work on IDS: the Intrusion Detection working Group (IDWG, Intrusion Detection Working Group) of IETF, the setter of international Internet standards, and the Common Intrusion Detection Framework (CIDF, Common Intrusion Detection Framework).
IDS classification: Network IDS (network-based), Host-based IDS (host-based), Hybrid IDS (hybrid), Consoles IDS (console), File Integrity Checkers (file integrity checker), Honeypots (honeypots). event generation system
According to the general model idea of the Intrusion Detection System (IDS) expounded by CIDF, the simplest intrusion detection component with all the elements is shown in the figure. According to the CIDF specification, the data that IDS needs to analyze are collectively called Events. Events may be Data Packets in the network, or Information obtained from System Log or other methods.
Without data flowing in (or data being collected), an IDS is a tree without roots and completely useless.
As the basic organization of IDS, the event generation system can play a big role. It collects all the defined events and then transmits them to other components in one go. In a Windows environment, the current basic approach is to use Winpcap and WinDump.
As we all know, for event generation and event analysis systems, software and programs based on Linux and Unix platforms are currently popular; in fact, on the Windows platform, there is also software similar to Libpcap (which is a necessary software for Unix or Linux to capture network packets from the kernel) The tool is Winpcap.
Winpcap is a free, Windows-based network interface API that sets the network card to "promiscuous" mode and then loops through the network captured packets. Its technology is simple to implement, highly portable, and has nothing to do with network cards, but it is not efficient and is suitable for networks below 100 Mbps.
The corresponding Windows-based network sniffing tool is WinDump (a ported version of Tcpdump on the Linux/Unix platform on Windows). This software must be based on the Winpcap interface (someone here vividly calls Winpcap: data sniffing driver). Using WinDump, it can display the headers of data packets that match the rules. You can use this tool to find network problems or monitor network conditions. You can effectively monitor safe and unsafe behaviors from the network to a certain extent.
Both software can be found for free online, and readers can also view related software usage tutorials.
The following is a brief introduction to the steps to establish event detection and collection.
1. Assemble software and hardware systems. Depending on the busyness of the network, decide whether to use an ordinary compatible computer or a dedicated server with higher performance. To install the NT core Windows operating system, it is recommended to use Windows Server 2003 Enterprise Edition. If the conditions are not met, you can also use Windows 2000 Advanced Server. The partition format is recommended to be NTFS format.
2. The space division of the server must be reasonable and effective. For the installation of execution programs and the storage of data logs, it is best to place the two spaces in different partitions.
3. Simple implementation of Winpcap. First install its driver. You can download WinPcap auto-installer (Driver+DLLs) from its homepage or mirror site and install it directly.
Note: If you use Winpcap for development, you also need to download the Developer's pack.
WinPcap includes three modules: The first module NPF (Netgroup Packet Filter) is a VxD (Virtual Device Driver) file. Its function is to filter data packets and pass these packets intact to the user mode module. The second module packet.dll provides a public interface for the Win32 platform. It is built on packet.dll and provides a more convenient and direct programming method. The third module Wpcap.dll does not depend on any operating system. It is the underlying dynamic link library and provides high-level and abstract functions. Specific instructions for use are covered on major websites. How to better use Winpcap requires strong C environment programming capabilities.
4. Creation of WinDump. After installation, run in Windows command prompt mode, and users can check the network status themselves without going into details.
If there are no software compatibility issues and the installation and configuration are correct, event detection and collection can be achieved.
[Cut-Page]event analysis system
Since most of our networks are connected by switched Ethernet switches, the purpose of establishing an event analysis system is to detect multiple network firewall devices and support multiple collection methods (such as collection based on Snmp and Syslog data information) logs , and provide certain event log processing, statistics, analysis and query functions.
The event analysis system is the core module of IDS. Its main function is to analyze various events and discover behaviors that violate security policies. How to establish it is the key and difficult point. If you can write a software system yourself or in collaboration with others, you need to make rigorous preparations for early development, such as having a clear understanding of network protocols, hacker attacks, and system vulnerabilities, and then start formulating rules and strategies, which should be based on standard technologies. standards and specifications, and then optimize the algorithm to improve execution efficiency, establish a detection model, and simulate the attack and analysis process.
The event analysis system resides the detection engine in the monitoring network segment and generally performs analysis through three technical means: pattern matching, protocol analysis and behavioral analysis. When a certain misuse pattern is detected, a corresponding warning message is generated and sent to the response system. At present, using protocol analysis is the best way to detect in real time.
One possible way of this system is to use a protocol analyzer as the main body, which can be built on the basis of ready-made, open protocol analysis tool kits; the protocol analyzer can display packet-level network transmission flows and automatically perform warnings based on network protocol rules. Analysis to quickly detect the presence of attacks, allowing network programmers and administrators to monitor and analyze network activity to proactively detect and locate faults. Users can try a free network protocol analyzer called Ethereal, which supports Windows systems. Users can analyze the data captured by the event generation system and saved on the hard disk. You can browse captured packets interactively and view summary and detailed information for each packet. Ethereal has a variety of powerful features, such as supporting almost all protocols, rich filtering languages, and easy viewing of reconstructed data streams of TCP sessions.
responsive system
The response system is an interactive system for people and objects. It can be said to be the transfer station and coordination station of the entire system. The people are the system administrators and the things are all the other components. To be more specific, the coordinator of the response system has a lot to do: record security events, generate alarm messages (such as e-mails), record additional logs, isolate intruders, terminate processes, and prohibit victimization in a preset defined manner. The port and service of the attacker, or even a counterattack; manual response and automatic response (machine-based response) can be adopted, and a combination of the two will be better.
Responsive system design elements
(1) Receive event alarm information from the event generation system that has been filtered, analyzed, and reconstructed by the event analysis system, and then interact with the user (administrator) to query and make rule judgments and take management actions.
(2) Provide administrators with an interface for managing the event database system. They can modify the rule base, configure security policies according to different network environments, and read and write the database system.
(3) When acting on the front-end system, it can manage event generation and analysis systems (collectively called event detectors), classify and filter the events collected, detected, and analyzed by the system, and re-implement security rules according to different security situations. Shuffle.
Response systems and event detectors are typically implemented as applications.
Design idea: The response system can be divided into two program parts, monitoring and control. The listening part binds an idle port, receives the analysis results and other information sent from the event detector, and converts the stored files into the event database system. As an administrator, the administrator can call for read-only, modification and special operations according to user permissions. The control part can use GTK+ to write GUI and develop a more intuitive graphical user interface. The main purpose is to give users a more convenient and friendly interface to browse warning information.
event database system
Under the Windows platform, although Access is easier to master, building it with SQL Server 2000 is more effective than Access, and it is not difficult to get started. The main functions of this system are: recording, storing, and rearranging event information, which can be called by administrators to view and review Attack review forensics use.
The structure of this system is relatively simple and only requires some basic functions of the database software.
To coordinate purposeful communication between components, the components must correctly understand the semantics of the various data passed between them. You can refer to the communication mechanism of CIDF to build a 3-layer model. Pay attention to the interoperability between various components to ensure safety, efficiency, and smoothness.
Integration will continue in subsequent work, and the functions of each component will continue to be improved. A basic IDS framework based on Windows platform is completed. If you meet the internet requirements, try making your own cheese. There is an indescribable sweetness after hard work.
[Cut-Page]event analysis system
Since most of our networks are connected by switched Ethernet switches, the purpose of establishing an event analysis system is to detect multiple network firewall devices and support multiple collection methods (such as collection based on Snmp and Syslog data information) logs , and provide certain event log processing, statistics, analysis and query functions.
The event analysis system is the core module of IDS. Its main function is to analyze various events and discover behaviors that violate security policies. How to establish it is the key and difficult point. If you can write a software system yourself or in collaboration with others, you need to make rigorous preparations for early development, such as having a clear understanding of network protocols, hacker attacks, and system vulnerabilities, and then start formulating rules and strategies, which should be based on standard technologies. standards and specifications, and then optimize the algorithm to improve execution efficiency, establish a detection model, and simulate the attack and analysis process.
The event analysis system resides the detection engine in the monitoring network segment and generally performs analysis through three technical means: pattern matching, protocol analysis and behavioral analysis. When a certain misuse pattern is detected, a corresponding warning message is generated and sent to the response system. At present, using protocol analysis is the best way to detect in real time.
One possible way of this system is to use a protocol analyzer as the main body, which can be built on the basis of ready-made, open protocol analysis tool kits; the protocol analyzer can display packet-level network transmission flows and automatically perform warnings based on network protocol rules. Analysis to quickly detect the presence of attacks, allowing network programmers and administrators to monitor and analyze network activity to proactively detect and locate faults. Users can try a free network protocol analyzer called Ethereal, which supports Windows systems. Users can analyze the data captured by the event generation system and saved on the hard disk. You can browse captured packets interactively and view summary and detailed information for each packet. Ethereal has a variety of powerful features, such as supporting almost all protocols, rich filtering languages, and easy viewing of reconstructed data streams of TCP sessions.
responsive system
The response system is an interactive system for people and objects. It can be said to be the transfer station and coordination station of the entire system. The people are the system administrators and the things are all the other components. To be more specific, the coordinator of the response system has a lot to do: record security events, generate alarm messages (such as e-mails), record additional logs, isolate intruders, terminate processes, and prohibit victimization in a preset defined manner. The port and service of the attacker, or even a counterattack; manual response and automatic response (machine-based response) can be adopted, and a combination of the two will be better.
Responsive system design elements
(1) Receive event alarm information from the event generation system that has been filtered, analyzed, and reconstructed by the event analysis system, and then interact with the user (administrator) to query and make rule judgments and take management actions.
(2) Provide administrators with an interface for managing the event database system. They can modify the rule base, configure security policies according to different network environments, and read and write the database system.
(3) When acting on the front-end system, it can manage event generation and analysis systems (collectively called event detectors), classify and filter the events collected, detected, and analyzed by the system, and re-implement security rules according to different security situations. Shuffle.
Response systems and event detectors are typically implemented as applications.
Design idea: The response system can be divided into two program parts, monitoring and control. The listening part binds an idle port, receives the analysis results and other information sent from the event detector, and converts the stored files into the event database system. As an administrator, the administrator can call for read-only, modification and special operations according to user permissions. The control part can use GTK+ to write GUI and develop a more intuitive graphical user interface. The main purpose is to give users a more convenient and friendly interface to browse warning information.
event database system
Under the Windows platform, although Access is easier to master, building it with SQL Server 2000 is more effective than Access, and it is not difficult to get started. The main functions of this system are: recording, storing, and rearranging event information, which can be called by administrators to view and review Attack review forensics use.
The structure of this system is relatively simple and only requires some basic functions of the database software.
To coordinate purposeful communication between components, the components must correctly understand the semantics of the various data passed between them. You can refer to the communication mechanism of CIDF to build a 3-layer model. Pay attention to the interoperability between various components to ensure safety, efficiency, and smoothness.
Integration will continue in subsequent work, and the functions of each component will continue to be improved. A basic IDS framework based on Windows platform is completed. If you meet the internet requirements, try making your own cheese. There is an indescribable sweetness after hard work.