First, the intrusion detection technology to carry out the urgency of
All security threats are likely to attack, intrusion, penetration, influence, control and destruction of the network and online information systems as an important means.Therefore, the damage from the online activities of monitoring and auditing, is a prerequisite for prevention, information security is to build an important and essential part of the environment.
Countries have already carried out an early warning system and intrusion detection technology in a number of important political, military and economic networks on the implementation of monitoring the illegal invasion.The protection of information network security system in the early detection of intrusion signs of intrusion of the technical means to play an important role.In order to improve information systems protection, China should fill this gap as soon as possible.
Second, a variety of test objects
Network intrusion event was organized by different types of individuals or organizations, with varying purposes, using different technologies, in different locations and time objectives for different launched.Many different combinations of different and constitute the diversity of the detection object.
Intrusion detection and early warning technology research, at least to agree to the following multi-level objectives:
1. On the information infrastructure of the security situation and threats (including threats of source and level) to make a comprehensive system of assessment.
2. The source of the threat as an object, in chronological order, action, intention, scope and extent of the threat, statistics, analysis and audit.
3. Of malicious code from the external network and the illegal operations to identify, track, record, classify and police.
4. For the destruction of the recovery of network and information systems to provide technical support.
Third, the complexity of early warning
As the network against a series of very complex behavior, in particular there is a premeditated, organized network intrusion, and therefore effective early warning on the more complex the technology and a certain degree of difficulty.
The complexity of early warning in:
backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp source of identification;
backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp attempt to determine;
backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp harm to judge the extent and potential;
backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp network technology tracking;
backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp software design;
backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp hardware adaptability.
According to our research, the following three problems are solved.
1. Invasion of technology in the development
Early warning technology to network attacks network technology as the basis, by tracking the invasion of technology to enhance detection capabilities.Invasive method involves all aspects of the operating system vulnerabilities, such as system design defects, code defects, defects in the system configuration, operation and management deficiencies, and even system reserved for the back door and so on.In a large number of hackers on the Internet site, publishing a large number of vulnerabilities of information and method of attack.Hackers around the world can use shared resources to carry out research and dissemination of attack, making the new attack method can become a reality as quickly as the invasion of weapons.More worrying is the organized activity, the foreign means of information warfare has the same nuclear, chemical and biological weapons side by side, to be discussed as a strategic deterrence, capability of spoilers, for us is still a greatunknown.
Invasion of Technology to the warning caused great difficulties, especially the invasion pattern recognition based on early warning systems.Pre-invasive method to understand all the possible difficult, so an effective early warning systems not only need to identify known intrusion patterns, but also have the ability to deal with the unknown intrusion patterns.Network warning technology slavishly followed the invasion of the identified model can be greatly enhanced after the course, network security, but this is not the only direction of development.Monitoring network intrusion detection technology from the abnormal activity of the normal activities and network intrusion detection two perspectives will be more effective.At the same time early warning system should be the learning ability and intelligence to correct false alarm and missed alarm, early warning accuracy.
2. Intrusions can have a great time span and spatial span
Premeditated invasion activities often have a more careful planning, test and technical preparations for an invasion activities of the various steps may be in a relatively long time span and over a large span of space were completed, a warning difficult.A detection model will always have a limited time window, which overlooked certain facts slide time window.Meanwhile, the detection model for a larger space in the anomalies occurring within a comprehensive, Lenovo capacity is also limited.
3. Nonlinear characteristics of effective recognition model has not
The difficulty of intrusion detection technology is not merely the extraction of intrusion patterns, but also in the intrusion detection strategy models and algorithms.Because the invasion model is a static thing, and the reality of the invasion of activities is flexible.Effective intrusion detection model should be able to accept a large enough time span and spatial span.Technically, the invasion of technology has developed to a certain stage, and intrusion detection technology in theory and in practice, the model has not really developed.Market intrusion detection system can be seen also at the same level.In our analysis, advanced configuration of important national network intrusion detection system should not this level of technology, or they are also seeking other more effective means of detection.
Faced with a complex network intrusions, network technology research includes not only early warning intrusion technology research, and to be more emphasis on building intrusion detection strategy and the model theory.
Fourth, the main research warning
The contents of the network early-warning technology include: network intrusion technology research, detection model, the audit of policy research.By combining these technologies to form a mutual development of the organism.
1. Invasion of Technology
Invasive technique consists of three parts:
First, closely following the invasion of the international technology development, and constantly get the latest attack methods.By analyzing the known attack methods, rich detection capabilities of early warning systems.
Second, the strengthening and use of early warning systems audit, track and field record, record and feedback unusual event instance.An example of feature extraction of suspicious network activity, expand the system's detection range, enabling the system to cope with the unknown intrusions.
Third, the use of attack technology research, creating new intrusion method, and applied to the detection technology.
2. Detection Model
For early warning systems, to determine detection model is the most important.The complexity of the intrusions, intrusion methods alone can not fully understand to achieve early warning, there should be co-ordinated with the appropriate detection model.Technology research in the early warning, intrusion detection model is one of key technologies.
By means of intrusion detection by intrusion detection model based on network and can be divided into two models based on the system.Model based on the network through real-time monitoring of data streams, to find the activities of a network attack characteristics; system model-based analysis system through the audit data to detect suspicious activity.These two models are complementary, network-based model can objectively reflect the network activity, in particular, to monitor the blind spot to the system audit; and system-based model can more accurately monitor the system in a variety of activities.Web-based model of the restrictions by the switching network, while the model is not based on the system of switching network.
By intrusion detection strategy to divide, intrusion detection model can be divided into anomaly-based features and characteristics of two types of models based on normal.Anomaly model library in the known intrusion patterns based on the normal feature of the system model is built on the basis of the normal operating mode.The latter type of model consists of two aspects: First, to establish a normal user and system behavior characteristics, and second, observing the actual system and user activities and established the existence of differences between normal behavior.
Similarly, these two models are also complementary.Anomaly model can accurately detect known intrusions, false alarm rate is low; and for a certain application environment, the normal feature model will have a more accurate system to normal operating mode, so that any deviations from the normal pattern of activities, includinginvasion of some unknown activity.
3. Audit Analysis Strategy
Another early warning technology research focus is on audit data analysis and processing, including identification of sources of threats, attempts to determine, and the ability to determine the extent of damage and so on.Audit data generated by early warning detection and early warning is a valuable resource.The audit data can be large, if the lack of effective analytical tools, will be a waste of this resource.
21st century information infrastructure is the foundation stage of social activities, in the foreseeable period of time, completely eliminate the information infrastructure for bad behavior is not possible.Strengthen the management with the necessary technical means one of the ways to solve the problem.